firewall: Move the IPS after the NAT marking

This is because we might still land in the scenario where Suricata crashes and NFQUEUE will simply ACCEPT all packets which will terminate the processing of the mangle table. Therefore the NFQUEUE rule should be the last one so that we never skip any of the other processing. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-09 10:35:53 +02:00 · 2024-09-10 11:37:38 +02:00
parent 2438c6c249
commit 525ff6d74d
1 changed files with 7 additions and 7 deletions
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -221,13 +221,6 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK

-	# IPS (Suricata) chains
-	iptables -t mangle -N IPS
-
-	for chain in PREROUTING POSTROUTING; do
-		iptables -t mangle -A "${chain}" -j IPS
-	done
-
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
@@ -382,6 +375,13 @@ iptables_init() {
 			-m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}"
 	fi

+	# IPS (Suricata) chains
+	iptables -t mangle -N IPS
+
+	for chain in PREROUTING POSTROUTING; do
+		iptables -t mangle -A "${chain}" -j IPS
+	done
+
 	# RED chain, used for the red interface
 	iptables -N REDINPUT
 	iptables -A INPUT -j REDINPUT