Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Linux IDS/Firewall

Posted on 2006-06-17
Medium Priority
Last Modified: 2010-03-17
What I'm trying to do is configure my Linux box as an IDS/Firewall box. I have two nics and also enabled ipv4 forwarding on the machine. I was hoping that this is all that I need but it isnt. My goal is to just have the machine pass packets from eth0 to eth1 and visa versa so I can use the IDS to pick up intrusions from my router to my internal machines. The router is a Cisco 2611 and is configured to do nat on the inside so I don't need to make the linux box into another nat/router. I just want to pass the packets between the nics. Any ideas?
Question by:jasonbrown17
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 16929219
ipv4 forwarding is enough to make the packets pass between the two nics, however you have to make sure you've setup your routing correctly.

I assume your linux box will have a default gateway on the Cisco 2611, and any computers/devices connected to eth1 will have your linux box as their default gateway. In such a scenario, and assuming your iptables FORWARD table has no restrictions (check /sbin/iptables -nL FORWARD) everything should work as you need to.

You can then customise the iptables chains to create a firewall according to your requirements.

With regards to the IDS, I recommend snort (http://www.snort.org/). I'd suggest a separate box for IDS, which won't be an actual router, but rather a passive listening box in the network you want to monitor.

Hope this helps.

Author Comment

ID: 16929975
So in essence, the linux box does have to become the default gateway for the internal machines?  Thats where I was getting confused then because I didn't think that by doing this I would have it also do routing,  it would just pass the packets between the nic's and there would be no layer 3 invloved.  Then by doing this will I have to enable an internal protocol also that goes between the Cisco router and the linux box?

Also, my understanding was that every nic on a linux machine is set up in promiscous mode by default which would allow grabing the packets out of the air easy.  But, I have a 2950 switch that everything is hooked into.  Since they are all hooked into a switch those packets will never be sent to the linux box, unless otherwise called by that machine.  In all reality at that point by making a stand alone machine that don't have packets going through it make it a host ids and not a network ids?  If thats not the case then I'll just leave it the way my network is set up now and continue setting up my ACL's on the router and be done with it.  The network IDS was the ultimate goal I had in mind, doing the firewall rules with iptables was just a bonus.
Thanks for your help.
LVL 57

Expert Comment

ID: 16930768
In order to do what you want you need this setup:

  LAN <---> Switch <---> Linux box <---> Router

This is the normal setup for firewalls anyway.  The firewall is physically between your internal network and the external network.

However,  if you only want the Linux box to do IDS (not IPS, not be a firewall, just plain IDS) there are two other options.  You  could setup a SPAN session on your switch with the source port being the port that the router is on and the targe port being the Linux box.  The other option is to connect a HUB to the switch and then connect the Linux box and the router to the HUB.
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!


Author Comment

ID: 16930921
Hubs are not an option and yes that is the setup that I had in mind.

Basically this is how it goes.  Comes in from the modem to e0/0 on the router with outside nat, then goes to e0/1 with nat inside.  From there it goes to the Linux box through a crossover cable to eth0, then redirects back out to eth1 and goes to the switch.  Then there is a Win2k3 machine handing out DNS and DHCP.
LVL 57

Expert Comment

ID: 16931295
For this:

 LAN <---> Switch <---> Linux box <---> Router

If you want to use iptables as a firewall, then Linux MUST be invloved at layer 3, the IP layer.  The Linux box becomes the default router for your LAN and your Linux box point to your Internet router as its default route.

Depending on your envirment you can either leave NAT on the router or have NAT be done on the Linux box.  

There is a "How To" on how to setup a Linux box as a Bridge and a firewall:


Expert Comment

ID: 16939678
check out http://smoothwall.org 

It is a dedicated firewall/router linux os that has all you want already setup  with a web interface

Author Comment

ID: 16962761
Is there a way to allow ids machine to span across all the ports on the switch?  Meaning, since the switch is only allowing packets to flow from the incoming interface to the specified port requesting it, could I allow those packets to go to two different ports?  
LVL 57

Accepted Solution

giltjr earned 1400 total points
ID: 16963731
Assuming you have NO current span sessions:

     monitor session 1 source fa0/1-fa0/23 both
     monitor session 1 destination fa0/24

Will setup span session #1.  It will copy all traffic received or sent on interfaces fa0/1-fa0/23 and copy it to fa0/24.  If you have a span session you will most likely want to clear it first.

This is an EXAMPLE.  You need to deterimine what you want to do. As you seem to have a single switch, all traffic is going to and coming from the ports on this switch.  Which means if you had a 24 port switch and did the above, your IDS box would see everything TWICE.  As a packet would be considered outbound on one port and inbound on another.

If you want to clear a span session it would be:

     no monitor session 1


Author Comment

ID: 16963920
Ok, thanks I will try that.

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question