From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 01/20] suricata: Move the IPS into the mangle table
Date: Tue, 10 Sep 2024 14:37:14 +0000 [thread overview]
Message-ID: <20240910143748.3469271-2-michael.tremer@ipfire.org> (raw)
In-Reply-To: <20240910143748.3469271-1-michael.tremer@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 7163 bytes --]
This should make the IPS more efficient, we should have fewer rules and
the IPS will now sit at the edge of the networking stack as it will see
packets immediately when they come and and just before they leave.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
---
src/initscripts/system/firewall | 23 +------
src/initscripts/system/suricata | 108 +++++++++++---------------------
2 files changed, 39 insertions(+), 92 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 6727e4a20..39d9c0f23 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -39,11 +39,6 @@ fi
NAT_MASK="0x0f000000"
-IPS_REPEAT_MARK="0x80000000"
-IPS_REPEAT_MASK="0x80000000"
-IPS_BYPASS_MARK="0x40000000"
-IPS_BYPASS_MASK="0x40000000"
-
IPSET_DB_DIR="/var/lib/location/ipset"
SYNPROXY_OPTIONS=(
@@ -84,16 +79,6 @@ iptables_init() {
modprobe nf_log_ipv4
sysctl -q -w net.netfilter.nf_log.2=nf_log_ipv4
- # IPS Bypass Chain which stores the BYPASS bit in connection tracking
- iptables -N IPSBYPASS
- iptables -A IPSBYPASS -j CONNMARK --save-mark --mask "$(( ~IPS_REPEAT_MASK & 0xffffffff ))"
-
- # Jump into bypass chain when the BYPASS bit is set
- for chain in INPUT FORWARD OUTPUT; do
- iptables -A "${chain}" -m mark \
- --mark "$(( IPS_REPEAT_MARK | IPS_BYPASS_MARK ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS
- done
-
# Empty LOG_DROP and LOG_REJECT chains
iptables -N LOG_DROP
iptables -A LOG_DROP -m limit --limit 10/second -j LOG
@@ -237,12 +222,10 @@ iptables_init() {
iptables -A FORWARD -o tun+ -j OVPNBLOCK
# IPS (Suricata) chains
- iptables -N IPS_INPUT
- iptables -N IPS_FORWARD
- iptables -N IPS_OUTPUT
+ iptables -t mangle -N IPS
- for chain in INPUT FORWARD OUTPUT; do
- iptables -A "${chain}" -m mark --mark "0x0/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}"
+ for chain in PREROUTING POSTROUTING; do
+ iptables -t mangle -A "${chain}" -j IPS
done
# OpenVPN transfer network translation
diff --git a/src/initscripts/system/suricata b/src/initscripts/system/suricata
index 79f9478c3..253ece117 100644
--- a/src/initscripts/system/suricata
+++ b/src/initscripts/system/suricata
@@ -27,13 +27,20 @@ PATH=/usr/local/sbin:/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin; export PATH
eval $(/usr/local/bin/readhash /var/ipfire/suricata/settings)
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)
+IPS_REPEAT_MARK="0x80000000"
+IPS_REPEAT_MASK="0x80000000"
+IPS_BYPASS_MARK="0x40000000"
+IPS_BYPASS_MASK="0x40000000"
+
# Name of the firewall chains.
IPS_INPUT_CHAIN="IPS_INPUT"
IPS_FORWARD_CHAIN="IPS_FORWARD"
IPS_OUTPUT_CHAIN="IPS_OUTPUT"
# Optional options for the Netfilter queue.
-NFQ_OPTS="--queue-bypass "
+NFQ_OPTS=(
+ "--queue-bypass"
+)
# Array containing the 4 possible network zones.
network_zones=( red green blue orange ovpn )
@@ -64,91 +71,48 @@ function get_cpu_count {
# Function to flush the firewall chains.
function flush_fw_chain {
- # Call iptables and flush the chains
- iptables -w -F "$IPS_INPUT_CHAIN"
- iptables -w -F "$IPS_FORWARD_CHAIN"
- iptables -w -F "$IPS_OUTPUT_CHAIN"
+ iptables -w -t mangle -F IPS
}
# Function to create the firewall rules to pass the traffic to suricata.
function generate_fw_rules {
- cpu_count=$(get_cpu_count)
-
- # Loop through the array of network zones.
- for zone in "${network_zones[@]}"; do
- # Convert zone into upper case.
- zone_upper=${zone^^}
-
- # Generate variable name for checking if the IDS is
- # enabled on the zone.
- enable_ids_zone="ENABLE_IDS_$zone_upper"
-
- # Check if the IDS is enabled for this network zone.
- if [ "${!enable_ids_zone}" == "on" ]; then
- # Check if the current processed zone is "red" and the configured type is PPPoE dialin.
- if [ "$zone" == "red" ] && [ "$RED_TYPE" == "PPPOE" ] && [ "$RED_DRIVER" != "qmi_wwan" ]; then
- # Set device name to ppp0.
- network_device="ppp0"
- elif [ "$zone" == "ovpn" ]; then
- # Get all virtual net devices because the RW server and each
- # N2N connection creates it's own tun device.
- for virt_dev in /sys/devices/virtual/net/*; do
- # Cut-off the directory.
- dev="${virt_dev##*/}"
-
- # Only process tun devices.
- if [[ $dev =~ "tun" ]]; then
- # Add the network device to the array of enabled zones.
- enabled_ips_zones+=( "$dev" )
- fi
- done
-
- # Process next zone.
- continue
- else
- # Generate variable name which contains the device name.
- zone_name="$zone_upper"
- zone_name+="_DEV"
-
- # Grab device name.
- network_device=${!zone_name}
- fi
-
- # Add the network device to the array of enabled zones.
- enabled_ips_zones+=( "$network_device" )
- fi
- done
-
# Assign NFQ_OPTS
- NFQ_OPTIONS=$NFQ_OPTS
+ local NFQ_OPTIONS=( "${NFQ_OPTS[@]}" )
+
+ local cpu_count="$(get_cpu_count)"
# Check if there are multiple cpu cores available.
if [ "$cpu_count" -gt "1" ]; then
- # Balance beetween all queues.
- NFQ_OPTIONS+="--queue-balance 0:$(($cpu_count-1))"
- NFQ_OPTIONS+=" --queue-cpu-fanout"
+ # Balance beetween all queues
+ NFQ_OPTIONS+=(
+ "--queue-balance" "0:$(($cpu_count-1))"
+ "--queue-cpu-fanout"
+ )
else
- # Send all packets to queue 0.
- NFQ_OPTIONS+="--queue-num 0"
+ # Send all packets to queue 0
+ NFQ_OPTIONS+=(
+ "--queue-num" "0"
+ )
fi
# Flush the firewall chains.
flush_fw_chain
- # Check if the array of enabled_ips_zones contains any elements.
- if [[ ${enabled_ips_zones[@]} ]]; then
- # Loop through the array and create firewall rules.
- for enabled_ips_zone in "${enabled_ips_zones[@]}"; do
- # Create rules queue input and output related traffic and pass it to the IPS.
- iptables -w -A "$IPS_INPUT_CHAIN" -i "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
- iptables -w -A "$IPS_OUTPUT_CHAIN" -o "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS
-
- # Create rules which are required to handle forwarded traffic.
- for enabled_ips_zone_forward in "${enabled_ips_zones[@]}"; do
- iptables -w -A "$IPS_FORWARD_CHAIN" -i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE $NFQ_OPTIONS
- done
- done
- fi
+ # Don't process packets where the IPS has requested to bypass the stream
+ iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" -j RETURN
+
+ # Don't process packets that have already been seen by the IPS
+ iptables -w -t mangle -A IPS -m mark --mark "$(( IPS_REPEAT_MARK ))/$(( IPS_REPEAT_MASK ))" -j RETURN
+
+ # Send packets to suricata
+ iptables -w -t mangle -A IPS -j NFQUEUE "${NFQ_OPTIONS[@]}"
+
+ # If suricata decided to bypass a stream, we will store the mark in the connection tracking table
+ iptables -w -t mangle -A IPS \
+ -m mark --mark "$(( IPS_BYPASS_MARK ))/$(( IPS_BYPASS_MASK ))" \
+ -j CONNMARK --save-mark --mask "$(( IPS_BYPASS_MASK ))"
+
+ return 0
}
case "$1" in
--
2.39.2
next prev parent reply other threads:[~2024-09-10 14:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-10 14:37 Addressing #13764 Michael Tremer
2024-09-10 14:37 ` Michael Tremer [this message]
2024-09-10 14:37 ` [PATCH 02/20] initscripts: Fix bash function definitions in suricata Michael Tremer
2024-09-10 14:37 ` [PATCH 03/20] suricata: Use getconf to determine the number of processors Michael Tremer
2024-09-10 14:37 ` [PATCH 04/20] suricata: Remove some unused constants Michael Tremer
2024-09-10 14:37 ` [PATCH 05/20] suricata: Add whitelist to iptables Michael Tremer
2024-09-10 14:37 ` [PATCH 06/20] suricata: Replace removed CPU count function Michael Tremer
2024-09-10 14:37 ` [PATCH 07/20] suricata: Be more efficient with marks Michael Tremer
2024-09-10 14:37 ` [PATCH 08/20] suricata: Add a watcher to restart on unexpected termination Michael Tremer
2024-09-10 14:37 ` [PATCH 09/20] suricata: Start the new watcher in the background Michael Tremer
2024-09-10 14:37 ` [PATCH 10/20] suricata: Restore the interface selection Michael Tremer
2024-09-10 14:37 ` [PATCH 11/20] suricata: Remove superfluous bits from the initscript Michael Tremer
2024-09-10 14:37 ` [PATCH 12/20] suricata: Don't load /var/ipfire/ethernet/settings Michael Tremer
2024-09-10 14:37 ` [PATCH 13/20] suricata: Add option to scan WireGuard Michael Tremer
2024-09-10 14:37 ` [PATCH 14/20] suricata: Fix broken spacing in the settings section Michael Tremer
2024-09-10 14:37 ` [PATCH 15/20] ids.cgi: Use new style tables for rulesets Michael Tremer
2024-09-10 14:37 ` [PATCH 16/20] ids.cgi: Use new-style table for whitelist entries Michael Tremer
2024-09-10 14:37 ` [PATCH 17/20] ids.cgi: Sort " Michael Tremer
2024-09-10 14:37 ` [PATCH 18/20] ids.cgi: Remove box from the top section Michael Tremer
2024-09-10 14:37 ` [PATCH 19/20] ids.cgi: Fix detection for the Suricata process Michael Tremer
2024-09-10 14:37 ` [PATCH 20/20] firewall: Move the IPS after the NAT marking Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240910143748.3469271-2-michael.tremer@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox