From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] avoid emitting VPN traffic to the internet if the IPS crashed
Date: Mon, 27 Jan 2020 15:04:00 +0000 [thread overview]
Message-ID: <831d6fe4-8851-326a-450f-ac14a017479a@ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 1755 bytes --]
Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes #12257
Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
src/initscripts/system/firewall | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708..ab144ea18 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,14 +185,6 @@ iptables_init() {
iptables -A INPUT -j GUARDIAN
iptables -A FORWARD -j GUARDIAN
- # IPS (suricata) chains
- iptables -N IPS_INPUT
- iptables -N IPS_FORWARD
- iptables -N IPS_OUTPUT
- iptables -A INPUT -j IPS_INPUT
- iptables -A FORWARD -j IPS_FORWARD
- iptables -A OUTPUT -j IPS_OUTPUT
-
# Block non-established IPsec networks
iptables -N IPSECBLOCK
iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() {
iptables -A FORWARD -i tun+ -j OVPNBLOCK
iptables -A FORWARD -o tun+ -j OVPNBLOCK
+ # IPS (suricata) chains
+ iptables -N IPS_INPUT
+ iptables -N IPS_FORWARD
+ iptables -N IPS_OUTPUT
+ iptables -A INPUT -j IPS_INPUT
+ iptables -A FORWARD -j IPS_FORWARD
+ iptables -A OUTPUT -j IPS_OUTPUT
+
# OpenVPN transfer network translation
iptables -t nat -N OVPNNAT
iptables -t nat -A POSTROUTING -j OVPNNAT
--
2.16.4
next reply other threads:[~2020-01-27 15:04 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-27 15:04 Peter Müller [this message]
2020-01-27 15:33 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=831d6fe4-8851-326a-450f-ac14a017479a@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox