From 3c2c54831fd7a5f1813376ceb45c22774631a5e7 Mon Sep 17 00:00:00 2001
From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Thu, 16 Aug 2018 18:51:13 +0200
Subject: [PATCH] suricata: Add code to create iptables rules to the initscript

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 src/initscripts/system/suricata | 58 ++++++++++++++++++++++++++++++---
 1 file changed, 54 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index a49da8335d..60a00cc484 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -17,9 +17,21 @@
 
 PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
 
-eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
 eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
 
+# Name of the firewall chain.
+FW_CHAIN="IPS"
+
+# Optional options for the Netfilter queue.
+NFQ_OPTS="--queue-bypass "
+
+# Array containing the 4 possible network zones.
+network_zones=( red green blue orange )
+
+# Mark and Mask options.
+MARK="0x1"
+MASK="0x1"
+
 case "$1" in
         start)
 		# Get amount of CPU cores.
@@ -29,15 +41,53 @@ case "$1" in
 			[ "$line" ] && [ -z "${line%processor*}" ] && NFQUEUES+="-q $CPUCOUNT " && ((CPUCOUNT++))
 		done </proc/cpuinfo
 
-		boot_mesg "Starting Intrusion Detection System..."
-                /usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
-               	evaluate_retval
+		# Check if the IDS should be started.
+		if [ "$ENABLE_IDS" == "on" ]; then
+			# Loop through the array of network zones.
+			for zone in "${network_zones[@]}"; do
+				# Convert zone into upper case.
+				zone_upper=${zone^^}
+
+				# Check if the IDS is enabled for this network zone.
+				if [ "$ENABLE_IDS_$$zone_upper" == "on" ]; then
+					# Generate name of the network interface.
+					network_device=$zone
+					network_device+="0"
+
+					# Assign NFQ_OPTS
+					NFQ_OPTIONS=$NFQ_OPTS
+
+					# Check if there are multiple cpu cores available.
+					if [ "$CPUCOUNT" > 0 ]; then
+						# Balance beetween all queues.
+						NFQ_OPTIONS+="--queue-balance 0:"
+						NFQ_OPTIONS+=$(($CPUCOUNT-1))
+					else
+						# Send all packets to queue 0.
+						NFQ_OPTIONS+="--queue-num 0"
+					fi
+
+					# Create firewall rules to queue the traffic and pass to
+					# the IDS.
+					iptables -I "$FW_CHAIN" -i "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+					iptables -I "$FW_CHAIN" -o "$network_device" -m mark ! --mark "$MARK"/"$MASK" -j NFQUEUE "$NFQ_OPTIONS"
+				fi
+			done
+
+			# Start the IDS.
+			boot_mesg "Starting Intrusion Detection System..."
+			/usr/bin/suricata -c /etc/suricata/suricata.yaml -D $NFQUEUES
+			evaluate_retval
+		fi
 	;;
 
         stop)
 		boot_mesg "Stopping Intrusion Detection System..."
 		killproc -p /var/run/suricata.pid /var/run
 
+		# Flush firewall chain.
+		iptables -F $FW_CHAIN
+
 		# Remove suricata control socket.              
 		rm /var/run/suricata/* >/dev/null 2>/dev/null
 
-- 
2.39.2