From 815eaff433559a26418be66f6400929d8ce3f0ef Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Mon, 8 Jul 2013 15:38:39 +0200
Subject: [PATCH] iptables: Create guardian's chains after the CUSTOM* chains.

---
 src/initscripts/init.d/firewall | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/initscripts/init.d/firewall b/src/initscripts/init.d/firewall
index 33afbef7f..1cbca2db8 100644
--- a/src/initscripts/init.d/firewall
+++ b/src/initscripts/init.d/firewall
@@ -83,9 +83,6 @@ iptables_init() {
 	# CUSTOM chains, can be used by the users themselves
 	/sbin/iptables -N CUSTOMINPUT
 	/sbin/iptables -A INPUT -j CUSTOMINPUT
-	/sbin/iptables -N GUARDIAN
-	/sbin/iptables -A INPUT -j GUARDIAN
-	/sbin/iptables -A FORWARD -j GUARDIAN
 	/sbin/iptables -N CUSTOMFORWARD
 	/sbin/iptables -A FORWARD -j CUSTOMFORWARD
 	/sbin/iptables -N CUSTOMOUTPUT
@@ -99,6 +96,11 @@ iptables_init() {
 	/sbin/iptables -t nat -A POSTROUTING -j CUSTOMPOSTROUTING
 	/sbin/iptables -t nat -A POSTROUTING -j OVPNNAT
 
+	# Guardian (IPS) chains
+	/sbin/iptables -N GUARDIAN
+	/sbin/iptables -A INPUT -j GUARDIAN
+	/sbin/iptables -A FORWARD -j GUARDIAN
+
 	# Block OpenVPN transfer networks
 	/sbin/iptables -N OVPNBLOCK
 	for i in INPUT FORWARD OUTPUT; do
-- 
2.39.2