webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-05-11 09:48:24 +02:00
Code Issues Packages Projects Releases Wiki Activity

suricata: Split marking packets off into a separate chain

Browse Source 
This is required so that we can have different policies for incoming and
outgoing packets.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Michael Tremer
2024-09-22 17:06:21 +02:00
parent 75a89ddf4a
commit 09831e9ca9
2 changed files with 17 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/initscripts/system/firewall
View File

@@ -378,6 +378,13 @@ iptables_init() {
# IPS (Suricata) chains # IPS (Suricata) chains
iptables -t mangle -N IPS iptables -t mangle -N IPS
iptables -t mangle -N IPS_CLEAR iptables -t mangle -N IPS_CLEAR
iptables -t mangle -N IPS_SCAN_IN
iptables -t mangle -N IPS_SCAN_OUT
iptables -t mangle -A INPUT -j IPS_SCAN_IN
iptables -t mangle -A FORWARD -j IPS_SCAN_IN
iptables -t mangle -A FORWARD -j IPS_SCAN_OUT
iptables -t mangle -A OUTPUT -j IPS_SCAN_OUT
for chain in INPUT FORWARD OUTPUT; do for chain in INPUT FORWARD OUTPUT; do
iptables -t mangle -A "${chain}" -j IPS iptables -t mangle -A "${chain}" -j IPS

13
src/initscripts/system/suricata
View File

@@ -56,6 +56,8 @@ NFQ_OPTS=(
flush_fw_chain() { flush_fw_chain() {
iptables -w -t mangle -F IPS iptables -w -t mangle -F IPS
iptables -w -t mangle -F IPS_CLEAR iptables -w -t mangle -F IPS_CLEAR
iptables -w -t mangle -F IPS_SCAN_IN
iptables -w -t mangle -F IPS_SCAN_OUT
} }
# Function to create the firewall rules to pass the traffic to suricata. # Function to create the firewall rules to pass the traffic to suricata.
@@ -93,7 +95,10 @@ generate_fw_rules() {
-j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j CONNMARK --set-mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))"
# Don't process packets that have already been seen by the IPS # Don't process packets that have already been seen by the IPS
iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN for chain in IPS IPS_SCAN_IN IPS_SCAN_OUT; do
iptables -w -t mangle -A "${chain}" \
-m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
done
local zone local zone
local status local status
@@ -111,8 +116,10 @@ generate_fw_rules() {
continue continue
fi fi
iptables -w -t mangle -A IPS -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" iptables -w -t mangle -A IPS_SCAN_IN \
iptables -w -t mangle -A IPS -o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))" -i "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
iptables -w -t mangle -A IPS_SCAN_OUT \
-o "${intf}" -j MARK --set-mark "$(( IPS_SCAN_MARK ))/$(( IPS_SCAN_MASK ))"
fi fi
done done