Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or OpenVPN) destinations was emitted to the internet (ppp0 or red0 interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes #12257
Cc: Michael Tremer michael.tremer@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- src/initscripts/system/firewall | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708..ab144ea18 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -185,14 +185,6 @@ iptables_init() { iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN
- # IPS (suricata) chains - iptables -N IPS_INPUT - iptables -N IPS_FORWARD - iptables -N IPS_OUTPUT - iptables -A INPUT -j IPS_INPUT - iptables -A FORWARD -j IPS_FORWARD - iptables -A OUTPUT -j IPS_OUTPUT - # Block non-established IPsec networks iptables -N IPSECBLOCK iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK @@ -204,6 +196,14 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK
+ # IPS (suricata) chains + iptables -N IPS_INPUT + iptables -N IPS_FORWARD + iptables -N IPS_OUTPUT + iptables -A INPUT -j IPS_INPUT + iptables -A FORWARD -j IPS_FORWARD + iptables -A OUTPUT -j IPS_OUTPUT + # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT
Acked-by: Michael Tremer michael.tremer@ipfire.org
On 27 Jan 2020, at 15:04, Peter Müller peter.mueller@ipfire.org wrote:
Due to strange NFQUEUE behaviour, traffic to remote VPN (IPsec or OpenVPN) destinations was emitted to the internet (ppp0 or red0 interface) directly if the IPS was enabled but crashed during operation.
This patch places the IPSECBLOCK and OVPNBLOCK chains before the ones responsible for forwarding traffic into the IPS.
Thanks to Michael for his debugging effort.
Partially fixes #12257
Cc: Michael Tremer michael.tremer@ipfire.org Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
src/initscripts/system/firewall | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index ec396c708..ab144ea18 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -185,14 +185,6 @@ iptables_init() { iptables -A INPUT -j GUARDIAN iptables -A FORWARD -j GUARDIAN
- # IPS (suricata) chains
- iptables -N IPS_INPUT
- iptables -N IPS_FORWARD
- iptables -N IPS_OUTPUT
- iptables -A INPUT -j IPS_INPUT
- iptables -A FORWARD -j IPS_FORWARD
- iptables -A OUTPUT -j IPS_OUTPUT
- # Block non-established IPsec networks iptables -N IPSECBLOCK iptables -A FORWARD -m policy --dir out --pol none -j IPSECBLOCK
@@ -204,6 +196,14 @@ iptables_init() { iptables -A FORWARD -i tun+ -j OVPNBLOCK iptables -A FORWARD -o tun+ -j OVPNBLOCK
- # IPS (suricata) chains
- iptables -N IPS_INPUT
- iptables -N IPS_FORWARD
- iptables -N IPS_OUTPUT
- iptables -A INPUT -j IPS_INPUT
- iptables -A FORWARD -j IPS_FORWARD
- iptables -A OUTPUT -j IPS_OUTPUT
- # OpenVPN transfer network translation iptables -t nat -N OVPNNAT iptables -t nat -A POSTROUTING -j OVPNNAT
-- 2.16.4
-
Michael Tremer -
Peter Müller