Linux IDS/Firewall

Posted on 2006-06-17
Last Modified: 2010-03-17
What I'm trying to do is configure my Linux box as an IDS/Firewall box. I have two nics and also enabled ipv4 forwarding on the machine. I was hoping that this is all that I need but it isnt. My goal is to just have the machine pass packets from eth0 to eth1 and visa versa so I can use the IDS to pick up intrusions from my router to my internal machines. The router is a Cisco 2611 and is configured to do nat on the inside so I don't need to make the linux box into another nat/router. I just want to pass the packets between the nics. Any ideas?
Question by:jasonbrown17

Expert Comment

ID: 16929219
ipv4 forwarding is enough to make the packets pass between the two nics, however you have to make sure you've setup your routing correctly.

I assume your linux box will have a default gateway on the Cisco 2611, and any computers/devices connected to eth1 will have your linux box as their default gateway. In such a scenario, and assuming your iptables FORWARD table has no restrictions (check /sbin/iptables -nL FORWARD) everything should work as you need to.

You can then customise the iptables chains to create a firewall according to your requirements.

With regards to the IDS, I recommend snort ( I'd suggest a separate box for IDS, which won't be an actual router, but rather a passive listening box in the network you want to monitor.

Hope this helps.

Author Comment

ID: 16929975
So in essence, the linux box does have to become the default gateway for the internal machines?  Thats where I was getting confused then because I didn't think that by doing this I would have it also do routing,  it would just pass the packets between the nic's and there would be no layer 3 invloved.  Then by doing this will I have to enable an internal protocol also that goes between the Cisco router and the linux box?

Also, my understanding was that every nic on a linux machine is set up in promiscous mode by default which would allow grabing the packets out of the air easy.  But, I have a 2950 switch that everything is hooked into.  Since they are all hooked into a switch those packets will never be sent to the linux box, unless otherwise called by that machine.  In all reality at that point by making a stand alone machine that don't have packets going through it make it a host ids and not a network ids?  If thats not the case then I'll just leave it the way my network is set up now and continue setting up my ACL's on the router and be done with it.  The network IDS was the ultimate goal I had in mind, doing the firewall rules with iptables was just a bonus.
Thanks for your help.
LVL 57

Expert Comment

ID: 16930768
In order to do what you want you need this setup:

  LAN <---> Switch <---> Linux box <---> Router

This is the normal setup for firewalls anyway.  The firewall is physically between your internal network and the external network.

However,  if you only want the Linux box to do IDS (not IPS, not be a firewall, just plain IDS) there are two other options.  You  could setup a SPAN session on your switch with the source port being the port that the router is on and the targe port being the Linux box.  The other option is to connect a HUB to the switch and then connect the Linux box and the router to the HUB.
Don't miss ATEN at NAB Show April 24-27!

Visit ATEN at NAB Show to learn how our "Seamlessly Entertaining" solutions deliver fast, precise video streaming without delays for the broadcasting and media environment. ATEN will showcase its 16x16 Modular Matrix Switch (VM1600) and KVM Over IP Solution (KE6900 series).


Author Comment

ID: 16930921
Hubs are not an option and yes that is the setup that I had in mind.

Basically this is how it goes.  Comes in from the modem to e0/0 on the router with outside nat, then goes to e0/1 with nat inside.  From there it goes to the Linux box through a crossover cable to eth0, then redirects back out to eth1 and goes to the switch.  Then there is a Win2k3 machine handing out DNS and DHCP.
LVL 57

Expert Comment

ID: 16931295
For this:

 LAN <---> Switch <---> Linux box <---> Router

If you want to use iptables as a firewall, then Linux MUST be invloved at layer 3, the IP layer.  The Linux box becomes the default router for your LAN and your Linux box point to your Internet router as its default route.

Depending on your envirment you can either leave NAT on the router or have NAT be done on the Linux box.  

There is a "How To" on how to setup a Linux box as a Bridge and a firewall:

Expert Comment

ID: 16939678
check out 

It is a dedicated firewall/router linux os that has all you want already setup  with a web interface

Author Comment

ID: 16962761
Is there a way to allow ids machine to span across all the ports on the switch?  Meaning, since the switch is only allowing packets to flow from the incoming interface to the specified port requesting it, could I allow those packets to go to two different ports?  
LVL 57

Accepted Solution

giltjr earned 350 total points
ID: 16963731
Assuming you have NO current span sessions:

     monitor session 1 source fa0/1-fa0/23 both
     monitor session 1 destination fa0/24

Will setup span session #1.  It will copy all traffic received or sent on interfaces fa0/1-fa0/23 and copy it to fa0/24.  If you have a span session you will most likely want to clear it first.

This is an EXAMPLE.  You need to deterimine what you want to do. As you seem to have a single switch, all traffic is going to and coming from the ports on this switch.  Which means if you had a 24 port switch and did the above, your IDS box would see everything TWICE.  As a packet would be considered outbound on one port and inbound on another.

If you want to clear a span session it would be:

     no monitor session 1


Author Comment

ID: 16963920
Ok, thanks I will try that.

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question