[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Linux IDS/Firewall

What I'm trying to do is configure my Linux box as an IDS/Firewall box. I have two nics and also enabled ipv4 forwarding on the machine. I was hoping that this is all that I need but it isnt. My goal is to just have the machine pass packets from eth0 to eth1 and visa versa so I can use the IDS to pick up intrusions from my router to my internal machines. The router is a Cisco 2611 and is configured to do nat on the inside so I don't need to make the linux box into another nat/router. I just want to pass the packets between the nics. Any ideas?
1 Solution
ipv4 forwarding is enough to make the packets pass between the two nics, however you have to make sure you've setup your routing correctly.

I assume your linux box will have a default gateway on the Cisco 2611, and any computers/devices connected to eth1 will have your linux box as their default gateway. In such a scenario, and assuming your iptables FORWARD table has no restrictions (check /sbin/iptables -nL FORWARD) everything should work as you need to.

You can then customise the iptables chains to create a firewall according to your requirements.

With regards to the IDS, I recommend snort (http://www.snort.org/). I'd suggest a separate box for IDS, which won't be an actual router, but rather a passive listening box in the network you want to monitor.

Hope this helps.
jasonbrown17Author Commented:
So in essence, the linux box does have to become the default gateway for the internal machines?  Thats where I was getting confused then because I didn't think that by doing this I would have it also do routing,  it would just pass the packets between the nic's and there would be no layer 3 invloved.  Then by doing this will I have to enable an internal protocol also that goes between the Cisco router and the linux box?

Also, my understanding was that every nic on a linux machine is set up in promiscous mode by default which would allow grabing the packets out of the air easy.  But, I have a 2950 switch that everything is hooked into.  Since they are all hooked into a switch those packets will never be sent to the linux box, unless otherwise called by that machine.  In all reality at that point by making a stand alone machine that don't have packets going through it make it a host ids and not a network ids?  If thats not the case then I'll just leave it the way my network is set up now and continue setting up my ACL's on the router and be done with it.  The network IDS was the ultimate goal I had in mind, doing the firewall rules with iptables was just a bonus.
Thanks for your help.
In order to do what you want you need this setup:

  LAN <---> Switch <---> Linux box <---> Router

This is the normal setup for firewalls anyway.  The firewall is physically between your internal network and the external network.

However,  if you only want the Linux box to do IDS (not IPS, not be a firewall, just plain IDS) there are two other options.  You  could setup a SPAN session on your switch with the source port being the port that the router is on and the targe port being the Linux box.  The other option is to connect a HUB to the switch and then connect the Linux box and the router to the HUB.
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

jasonbrown17Author Commented:
Hubs are not an option and yes that is the setup that I had in mind.

Basically this is how it goes.  Comes in from the modem to e0/0 on the router with outside nat, then goes to e0/1 with nat inside.  From there it goes to the Linux box through a crossover cable to eth0, then redirects back out to eth1 and goes to the switch.  Then there is a Win2k3 machine handing out DNS and DHCP.
For this:

 LAN <---> Switch <---> Linux box <---> Router

If you want to use iptables as a firewall, then Linux MUST be invloved at layer 3, the IP layer.  The Linux box becomes the default router for your LAN and your Linux box point to your Internet router as its default route.

Depending on your envirment you can either leave NAT on the router or have NAT be done on the Linux box.  

There is a "How To" on how to setup a Linux box as a Bridge and a firewall:

check out http://smoothwall.org 

It is a dedicated firewall/router linux os that has all you want already setup  with a web interface
jasonbrown17Author Commented:
Is there a way to allow ids machine to span across all the ports on the switch?  Meaning, since the switch is only allowing packets to flow from the incoming interface to the specified port requesting it, could I allow those packets to go to two different ports?  
Assuming you have NO current span sessions:

     monitor session 1 source fa0/1-fa0/23 both
     monitor session 1 destination fa0/24

Will setup span session #1.  It will copy all traffic received or sent on interfaces fa0/1-fa0/23 and copy it to fa0/24.  If you have a span session you will most likely want to clear it first.

This is an EXAMPLE.  You need to deterimine what you want to do. As you seem to have a single switch, all traffic is going to and coming from the ports on this switch.  Which means if you had a 24 port switch and did the above, your IDS box would see everything TWICE.  As a packet would be considered outbound on one port and inbound on another.

If you want to clear a span session it would be:

     no monitor session 1

jasonbrown17Author Commented:
Ok, thanks I will try that.

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now