Tested-by: Stefan Schantl > This allows us to add rules in a consistent order like they are in > the > script. > > Signed-off-by: Michael Tremer > --- >  src/initscripts/system/suricata | 6 +++--- >  1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/src/initscripts/system/suricata > b/src/initscripts/system/suricata > index 981471c7c..5ccea9391 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -139,12 +139,12 @@ function generate_fw_rules { >                 # Loop through the array and create firewall rules. >                 for enabled_ips_zone in "${enabled_ips_zones[@]}"; do >                         # Create rules queue input and output related > traffic and pass it to the IPS. > -                       iptables -w -I "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > -                       iptables -w -I "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > +                       iptables -w -A "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > +                       iptables -w -A "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS >   >                         # Create rules which are required to handle > forwarded traffic. >                         for enabled_ips_zone_forward in > "${enabled_ips_zones[@]}"; do > -                               iptables -w -I "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark > "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS > +                               iptables -w -A "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark > "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS >                         done >                 done >