firewall: Use seperate firewall chains for passing traffic to the IPS

[people/pmueller/ipfire-2.x.git] / src / initscripts / system / firewall

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2739a683432b12803b180367070019d83204a2f9..da89857d8b17b75dbeda6515745d5068d9869204 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,6 +185,14 @@ iptables_init() {
        iptables -A INPUT -j GUARDIAN
        iptables -A FORWARD -j GUARDIAN
 
+       # IPS (suricata) chains
+       iptables -N IPS_INPUT
+       iptables -N IPS_FORWARD
+       iptables -N IPS_OUTPUT
+       iptables -A INPUT -j IPS_INPUT
+       iptables -A FORWARD -j IPS_FORWARD
+       iptables -A OUTPUT -j IPS_OUTPUT
+
        # Block non-established IPsec networks
        iptables -N IPSECBLOCK
        iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -294,9 +302,11 @@ iptables_init() {
        iptables -N OVPNINPUT
        iptables -A INPUT -j OVPNINPUT
 
-       # Tor
+       # Tor (inbound and outbound)
        iptables -N TOR_INPUT
        iptables -A INPUT -j TOR_INPUT
+       iptables -N TOR_OUTPUT
+       iptables -A OUTPUT -j TOR_OUTPUT
        
        # Jump into the actual firewall ruleset.
        iptables -N INPUTFW