From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: Re: [PATCH 8/9] suricata: Introduce IPSBYPASS chain Date: Tue, 19 Oct 2021 06:04:45 +0200 Message-ID: In-Reply-To: <20211018101022.15448-8-michael.tremer@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2116294044577929769==" List-Id: --===============2116294044577929769== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Tested-by: Stefan Schantl > NFQUEUE does not let the packet continue where it was processed, but > inserts it back into iptables at the start. That is why we need an > extra IPSBYPASS chain which has the following tasks: >=20 > * Make the BYPASS bit permanent for the entire connection > * Clear the REPEAT bit >=20 > The latter is more of cosmetic nature so that we can identify packets > that have come from suricata again and those which have bypassed the > IPS > straight away. >=20 > The IPS_* chain will now only be sent traffic to, when none of the > two > relevant bits has been set. Otherwise the packet has already been > processed by suricata in the first pass or suricata has decided to > bypass the connection. >=20 > This massively reduces load on the IPS which allows many common > connections (TLS connections with downloads) to bypass the IPS > bringing > us back to line speed. >=20 > Signed-off-by: Michael Tremer > --- > =C2=A0src/initscripts/system/firewall | 23 ++++++++++++++++++++--- > =C2=A0src/initscripts/system/suricata | 27 +++------------------------ > =C2=A02 files changed, 23 insertions(+), 27 deletions(-) >=20 > diff --git a/src/initscripts/system/firewall > b/src/initscripts/system/firewall > index ce428393d..530e8f1d6 100644 > --- a/src/initscripts/system/firewall > +++ b/src/initscripts/system/firewall > @@ -17,6 +17,11 @@ NAT_MASK=3D"0x0f000000" > =C2=A0IPSEC_MARK=3D"0x00800000" > =C2=A0IPSEC_MASK=3D"${IPSEC_MARK}" > =C2=A0 > +IPS_REPEAT_MARK=3D"0x80000000" > +IPS_REPEAT_MASK=3D"0x80000000" > +IPS_BYPASS_MARK=3D"0x40000000" > +IPS_BYPASS_MASK=3D"0x40000000" > + > =C2=A0function iptables() { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0/sbin/iptables --wait "$@" > =C2=A0} > @@ -41,6 +46,17 @@ iptables_init() { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0modprobe nf_log_ipv4 > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0sysctl -q -w net.netfilter.= nf_log.2=3Dnf_log_ipv4 > =C2=A0 > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# IPS Bypass Chain which stores = the BYPASS bit in connection > tracking > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -N IPSBYPASS > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A IPSBYPASS -j MARK --= set-xmark "0/$(( > IPS_REPEAT_MASK ))" > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A IPSBYPASS -j CONNMAR= K --save-mark > + > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Jump into bypass chain when th= e BYPASS bit is set > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0for chain in INPUT FORWARD OUTPU= T; do > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0iptables -A "${chain}" -m mark \ > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0--mark "$((= IPS_REPEAT_MARK | IPS_BYPASS_MARK > ))/$(( IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j IPSBYPASS > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done > + > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Empty LOG_DROP and LOG_RE= JECT chains > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -N LOG_DROP > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A LOG_DROP=C2=A0= =C2=A0 -m limit --limit 10/second -j LOG > @@ -147,9 +163,10 @@ iptables_init() { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -N IPS_INPUT > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -N IPS_FORWARD > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -N IPS_OUTPUT > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A INPUT -j IPS_INPUT > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A FORWARD -j IPS_FORWA= RD > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -A OUTPUT -j IPS_OUTPUT > + > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0for chain in INPUT FORWARD OUTPU= T; do > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0iptables -A "${chain}" -m mark --mark "0x0/$(( > IPS_REPEAT_MASK | IPS_BYPASS_MASK ))" -j "IPS_${chain}" > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done > =C2=A0 > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# OpenVPN transfer network = translation > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -t nat -N OVPNNAT > diff --git a/src/initscripts/system/suricata > b/src/initscripts/system/suricata > index 72d01b91d..13fcc7f34 100644 > --- a/src/initscripts/system/suricata > +++ b/src/initscripts/system/suricata > @@ -34,12 +34,6 @@ network_zones=3D( red green blue orange ovpn ) > =C2=A0# Array to store the network zones weather the IPS is enabled for. > =C2=A0enabled_ips_zones=3D() > =C2=A0 > -# Mark and Mask options. > -REPEAT_MARK=3D"0x80000000" > -REPEAT_MASK=3D"0x80000000" > -BYPASS_MARK=3D"0x40000000" > -BYPASS_MASK=3D"0x40000000" > - > =C2=A0# PID file of suricata. > =C2=A0PID_FILE=3D"/var/run/suricata.pid" > =C2=A0 > @@ -134,34 +128,19 @@ function generate_fw_rules { > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Flush the firewall chains. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0flush_fw_chain > =C2=A0 > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Skip anything that has the byp= ass bit set > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0local chain > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0for chain in "${IPS_INPUT_CHAIN}= " "${IPS_FORWARD_CHAIN}" > "${IPS_OUTPUT_CHAIN}"; do > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0iptables -w -A "${chain}" -m mark --mark > "${BYPASS_MARK}/${BYPASS_MASK}" -j RETURN > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done > - > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Check if the array of ena= bled_ips_zones contains any > elements. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0if [[ ${enabled_ips_zones[@= ]} ]]; then > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0# Loop through the array and create firewall rules. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0for enabled_ips_zone in "${enabled_ips_zones[@]}"; do > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Create= rules queue input and output related > traffic and pass it to the IPS. > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -m mark ! --mark "${REPEAT_MARK}/${REPEAT_MASK}" > -j NFQUEUE $NFQ_OPTIONS > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "$IPS_INPUT_CHAIN" -i > "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "$IPS_OUTPUT_CHAIN" -o > "$enabled_ips_zone" -j NFQUEUE $NFQ_OPTIONS > =C2=A0 > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Create= rules which are required to handle > forwarded traffic. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0for enab= led_ips_zone_forward in > "${enabled_ips_zones[@]}"; do > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w -A "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -m mark ! --mark > "${REPEAT_MARK}/${REPEAT_MASK}" -j NFQUEUE $NFQ_OPTIONS > +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w -A "$IPS_FORWARD_CHAIN" - > i "$enabled_ips_zone" -o "$enabled_ips_zone_forward" -j NFQUEUE > $NFQ_OPTIONS > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0done > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0done > - > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0# Add common rules at the end of the chain > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0for chain in "${IPS_INPUT_CHAIN}" > "${IPS_FORWARD_CHAIN}" "${IPS_OUTPUT_CHAIN}"; do > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Clear rep= eat bit > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "${chain}" -j MARK --set-xmark > "0x0/${REPEAT_MASK}" > - > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0# Store byp= ass bit in CONNMARK > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0iptables -w= -A "${chain}" -m mark --mark > "${BYPASS_MARK}/${BYPASS_MASK}" -j CONNMARK --save-mark > -=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0done > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0fi > =C2=A0} > =C2=A0 --===============2116294044577929769==--