From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 1/3] firewall: Use seperate firewall chains for passing
 traffic to the IPS
Date: Thu, 25 Apr 2019 19:31:46 +0200
Message-ID: <20190425173148.3868-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6024622374551896568=="
List-Id: <development.lists.ipfire.org>

--===============6024622374551896568==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Create and use seperate iptables chain called IPS_INPUT, IPS_FORWARD and IPS_=
OUTPUT
to be more flexible which kind of traffic should be passed to suricata.

Reference #12062

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/initscripts/system/firewall | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index be6c9169f..da89857d8 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -186,10 +186,12 @@ iptables_init() {
 	iptables -A FORWARD -j GUARDIAN
=20
 	# IPS (suricata) chains
-	iptables -N IPS
-	iptables -A INPUT -j IPS
-	iptables -A FORWARD -j IPS
-	iptables -A OUTPUT -j IPS
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
=20
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
--=20
2.20.1


--===============6024622374551896568==--