[PATCH] avoid emitting VPN traffic to the internet if the IPS crashed

[PATCH] avoid emitting VPN traffic to the internet if the IPS crashed

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1755 bytes --]

Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
OpenVPN) destinations was emitted to the internet (ppp0 or red0
interface) directly if the IPS was enabled but crashed during operation.

This patch places the IPSECBLOCK and OVPNBLOCK chains before the
ones responsible for forwarding traffic into the IPS.

Thanks to Michael for his debugging effort.

Partially fixes #12257

Cc: Michael Tremer <michael.tremer(a)ipfire.org>
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 src/initscripts/system/firewall | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ec396c708..ab144ea18 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -185,14 +185,6 @@ iptables_init() {
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
 
-	# IPS (suricata) chains
-	iptables -N IPS_INPUT
-	iptables -N IPS_FORWARD
-	iptables -N IPS_OUTPUT
-	iptables -A INPUT -j IPS_INPUT
-	iptables -A FORWARD -j IPS_FORWARD
-	iptables -A OUTPUT -j IPS_OUTPUT
-
 	# Block non-established IPsec networks
 	iptables -N IPSECBLOCK
 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
+	# IPS (suricata) chains
+	iptables -N IPS_INPUT
+	iptables -N IPS_FORWARD
+	iptables -N IPS_OUTPUT
+	iptables -A INPUT -j IPS_INPUT
+	iptables -A FORWARD -j IPS_FORWARD
+	iptables -A OUTPUT -j IPS_OUTPUT
+
 	# OpenVPN transfer network translation
 	iptables -t nat -N OVPNNAT
 	iptables -t nat -A POSTROUTING -j OVPNNAT
-- 
2.16.4

Re: [PATCH] avoid emitting VPN traffic to the internet if the IPS crashed

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2046 bytes --]

Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 27 Jan 2020, at 15:04, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or
> OpenVPN) destinations was emitted to the internet (ppp0 or red0
> interface) directly if the IPS was enabled but crashed during operation.
> 
> This patch places the IPSECBLOCK and OVPNBLOCK chains before the
> ones responsible for forwarding traffic into the IPS.
> 
> Thanks to Michael for his debugging effort.
> 
> Partially fixes #12257
> 
> Cc: Michael Tremer <michael.tremer(a)ipfire.org>
> Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> src/initscripts/system/firewall | 16 ++++++++--------
> 1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
> index ec396c708..ab144ea18 100644
> --- a/src/initscripts/system/firewall
> +++ b/src/initscripts/system/firewall
> @@ -185,14 +185,6 @@ iptables_init() {
> 	iptables -A INPUT -j GUARDIAN
> 	iptables -A FORWARD -j GUARDIAN
> 
> -	# IPS (suricata) chains
> -	iptables -N IPS_INPUT
> -	iptables -N IPS_FORWARD
> -	iptables -N IPS_OUTPUT
> -	iptables -A INPUT -j IPS_INPUT
> -	iptables -A FORWARD -j IPS_FORWARD
> -	iptables -A OUTPUT -j IPS_OUTPUT
> -
> 	# Block non-established IPsec networks
> 	iptables -N IPSECBLOCK
> 	iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
> @@ -204,6 +196,14 @@ iptables_init() {
> 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
> 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
> 
> +	# IPS (suricata) chains
> +	iptables -N IPS_INPUT
> +	iptables -N IPS_FORWARD
> +	iptables -N IPS_OUTPUT
> +	iptables -A INPUT -j IPS_INPUT
> +	iptables -A FORWARD -j IPS_FORWARD
> +	iptables -A OUTPUT -j IPS_OUTPUT
> +
> 	# OpenVPN transfer network translation
> 	iptables -t nat -N OVPNNAT
> 	iptables -t nat -A POSTROUTING -j OVPNNAT
> -- 
> 2.16.4