firewall: Fix placement of HOSTILE chains

They were mistakenly placed after the IPS chains in commit
7b529f5417254c68b6bd33732f30578182893d34, but should be placed after the
connection tracking and before the IPS.

Fixes: #12815
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2a70feac2a091d59857885d7c6d0ce2e423ef668..2597dae108f490cf3a997fa1a4fc127cf7f2d985 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -169,6 +169,17 @@ iptables_init() {
        iptables -t nat -N CUSTOMPOSTROUTING
        iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 
+       # Chains for networks known as being hostile, posing a technical threat to our users
+       # (i. e. listed at Spamhaus DROP et al.)
+       iptables -N HOSTILE
+       iptables -A INPUT -j HOSTILE
+       iptables -A FORWARD -j HOSTILE
+       iptables -A OUTPUT -j HOSTILE
+
+       iptables -N HOSTILE_DROP
+       iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
+       iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
+
        # IPS (Guardian) chains
        iptables -N GUARDIAN
        iptables -A INPUT -j GUARDIAN
@@ -259,17 +270,6 @@ iptables_init() {
                iptables -A OUTPUT -o "${BLUE_DEV}" -j DHCPBLUEOUTPUT
        fi
 
-       # Chains for networks known as being hostile, posing a technical threat to our users
-       # (i. e. listed at Spamhaus DROP et al.)
-       iptables -N HOSTILE
-       iptables -A INPUT -j HOSTILE
-       iptables -A FORWARD -j HOSTILE
-       iptables -A OUTPUT -j HOSTILE
-
-       iptables -N HOSTILE_DROP
-       iptables -A HOSTILE_DROP -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
-       iptables -A HOSTILE_DROP -j DROP -m comment --comment "DROP_HOSTILE"
-
        # Tor (inbound)
        iptables -N TOR_INPUT
        iptables -A INPUT -j TOR_INPUT