Solved

Linux IDS/Firewall

Posted on 2006-06-17
9
276 Views
Last Modified: 2010-03-17
What I'm trying to do is configure my Linux box as an IDS/Firewall box. I have two nics and also enabled ipv4 forwarding on the machine. I was hoping that this is all that I need but it isnt. My goal is to just have the machine pass packets from eth0 to eth1 and visa versa so I can use the IDS to pick up intrusions from my router to my internal machines. The router is a Cisco 2611 and is configured to do nat on the inside so I don't need to make the linux box into another nat/router. I just want to pass the packets between the nics. Any ideas?
Thanks.
0
Comment
Question by:jasonbrown17
9 Comments
 
LVL 3

Expert Comment

by:Ustas
Comment Utility
ipv4 forwarding is enough to make the packets pass between the two nics, however you have to make sure you've setup your routing correctly.

I assume your linux box will have a default gateway on the Cisco 2611, and any computers/devices connected to eth1 will have your linux box as their default gateway. In such a scenario, and assuming your iptables FORWARD table has no restrictions (check /sbin/iptables -nL FORWARD) everything should work as you need to.

You can then customise the iptables chains to create a firewall according to your requirements.

With regards to the IDS, I recommend snort (http://www.snort.org/). I'd suggest a separate box for IDS, which won't be an actual router, but rather a passive listening box in the network you want to monitor.

Hope this helps.
0
 

Author Comment

by:jasonbrown17
Comment Utility
So in essence, the linux box does have to become the default gateway for the internal machines?  Thats where I was getting confused then because I didn't think that by doing this I would have it also do routing,  it would just pass the packets between the nic's and there would be no layer 3 invloved.  Then by doing this will I have to enable an internal protocol also that goes between the Cisco router and the linux box?

Also, my understanding was that every nic on a linux machine is set up in promiscous mode by default which would allow grabing the packets out of the air easy.  But, I have a 2950 switch that everything is hooked into.  Since they are all hooked into a switch those packets will never be sent to the linux box, unless otherwise called by that machine.  In all reality at that point by making a stand alone machine that don't have packets going through it make it a host ids and not a network ids?  If thats not the case then I'll just leave it the way my network is set up now and continue setting up my ACL's on the router and be done with it.  The network IDS was the ultimate goal I had in mind, doing the firewall rules with iptables was just a bonus.
Thanks for your help.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
In order to do what you want you need this setup:

  LAN <---> Switch <---> Linux box <---> Router

This is the normal setup for firewalls anyway.  The firewall is physically between your internal network and the external network.

However,  if you only want the Linux box to do IDS (not IPS, not be a firewall, just plain IDS) there are two other options.  You  could setup a SPAN session on your switch with the source port being the port that the router is on and the targe port being the Linux box.  The other option is to connect a HUB to the switch and then connect the Linux box and the router to the HUB.
0
 

Author Comment

by:jasonbrown17
Comment Utility
Hubs are not an option and yes that is the setup that I had in mind.


Basically this is how it goes.  Comes in from the modem to e0/0 on the router with outside nat, then goes to e0/1 with nat inside.  From there it goes to the Linux box through a crossover cable to eth0, then redirects back out to eth1 and goes to the switch.  Then there is a Win2k3 machine handing out DNS and DHCP.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 57

Expert Comment

by:giltjr
Comment Utility
For this:

 LAN <---> Switch <---> Linux box <---> Router

If you want to use iptables as a firewall, then Linux MUST be invloved at layer 3, the IP layer.  The Linux box becomes the default router for your LAN and your Linux box point to your Internet router as its default route.

Depending on your envirment you can either leave NAT on the router or have NAT be done on the Linux box.  

There is a "How To" on how to setup a Linux box as a Bridge and a firewall:

     http://www.tldp.org/HOWTO/Bridge+Firewall.html
0
 
LVL 2

Expert Comment

by:jcs5003
Comment Utility
check out http://smoothwall.org

It is a dedicated firewall/router linux os that has all you want already setup  with a web interface
0
 

Author Comment

by:jasonbrown17
Comment Utility
Is there a way to allow ids machine to span across all the ports on the switch?  Meaning, since the switch is only allowing packets to flow from the incoming interface to the specified port requesting it, could I allow those packets to go to two different ports?  
0
 
LVL 57

Accepted Solution

by:
giltjr earned 350 total points
Comment Utility
Assuming you have NO current span sessions:

     monitor session 1 source fa0/1-fa0/23 both
     monitor session 1 destination fa0/24

Will setup span session #1.  It will copy all traffic received or sent on interfaces fa0/1-fa0/23 and copy it to fa0/24.  If you have a span session you will most likely want to clear it first.

This is an EXAMPLE.  You need to deterimine what you want to do. As you seem to have a single switch, all traffic is going to and coming from the ports on this switch.  Which means if you had a 24 port switch and did the above, your IDS box would see everything TWICE.  As a packet would be considered outbound on one port and inbound on another.

If you want to clear a span session it would be:

     no monitor session 1

0
 

Author Comment

by:jasonbrown17
Comment Utility
Ok, thanks I will try that.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now