LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 06-17-2006, 10:01 PM   #1
ninjaz
Member
 
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82

Rep: Reputation: 15
Linux IDS/Firewall


What I'm trying to do is configure my Linux box as an IDS/Firewall box. I have two nics and also enabled ipv4 forwarding on the machine. I was hoping that this is all that I need but it isnt. My goal is to just have the machine pass packets from eth0 to eth1 and visa versa so I can use the IDS to pick up intrusions from my router to my internal machines. The router is a Cisco 2611 and is configured to do nat on the inside so I don't need to make the linux box into another nat/router. I just want to pass the packets between the nics. Any ideas?
Thanks.

Last edited by ninjaz; 06-17-2006 at 10:05 PM.
 
Old 06-17-2006, 10:13 PM   #2
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
you want to put this between your router and your LAN, or between your router and the WAN?? i believe IDS systems usually go between the router and the WAN, no?? sounds like what you want is to have an ethernet bridge which will sniff the traffic before it hits your router... does that sound about right??
 
Old 06-17-2006, 10:39 PM   #3
ninjaz
Member
 
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82

Original Poster
Rep: Reputation: 15
I only have one IP address so I would want to set it behind the WAN since the Cisco router is taking care of the nat'ing. I have (loose) ACL's setup on the router, that are blocking access to telnet services except for inside ip's and also ACL's blocking spoofing attacks on the outside. I was then going to use Snort/BASE as my IDS and use iptables for stronger firewall blocking of attackers coming to the inside.
 
Old 06-17-2006, 11:42 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
the thing is that if you set it on the inside (behind the cisco), i believe you would be losing valuable information which is getting filtered by the cisco router... the ideal would be to sniff the traffic *before* it hits your router...

BTW, if you configure this as an ethernet bridge (in front of the cisco), you would NOT have to change any IP configuration or anything... it would pretty much be "plug-and-play"... that's part of the beauty of doing it in the ethernet bridge manner...

but yeah, it can be done inside also - although it's not going to be the same thing, of course... basically to get started you'd just need the proper firewall rules - that can be done with a simple iptables script... setting-up snort would be a separate project... i don't have any snort experience, but i do have iptables experience and can give you a hand there... let me know what exactly you need... it sounds like you want to have the boxes on your LAN use the linux box as their gateway, and then have the linux box use the cisco router as its gateway, right??
 
Old 06-19-2006, 11:58 AM   #5
ninjaz
Member
 
Registered: Aug 2003
Location: Michigan
Distribution: RHEL v.4, Debian
Posts: 82

Original Poster
Rep: Reputation: 15
How would I got about setting up an IP bridge? Would I just setup eth0 for dhcp coming from my ISP and then set eth1 with a statically set IP? After that Im not sure on what to do. Would I be double NAT'ing? I know about setting up Snort/BASE that was the easy part :-)
Thanks

Last edited by ninjaz; 06-19-2006 at 11:59 AM.
 
Old 06-19-2006, 01:08 PM   #6
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by ninjaz
How would I got about setting up an IP bridge? Would I just setup eth0 for dhcp coming from my ISP and then set eth1 with a statically set IP? After that Im not sure on what to do. Would I be double NAT'ing? I know about setting up Snort/BASE that was the easy part :-)
Thanks
i don't really know a lot about bridges... in fact, after having gone over some docs just now, i'm having doubts about whether it would work as a first hop from the Internet, since they work with hardware addresses (not IP) and packets coming from the Internet don't have that... so it sounds like it might indeed have to go behind the router anyways... here's a couple links:

http://ebtables.sourceforge.net/

http://linux-net.osdl.org/index.php/Bridge

with a bridge you wouldn't be double-NATing... the packets coming out of one side of the bride would be exactly the same as the ones going in unless you decide to change them somehow... as you can imagine, this is one reason why bridges are good for sniffing traffic... another reason is the plug-and-play factor of course...

OTOH, by using the linux box as a NAT/IDS behind your Cisco (or vice-versa), then that *would* be double-NATing (nothing particularly wrong with that BTW)...

i am obviously no expert, but i think one of these two options might be your best bet (considering you want to use both your Linux and your Cisco):

1- BRIDGE: Cisco NAT with Linux Bridge/IDS behind it (LAN side).

2- DOUBLE-NAT: Linux NAT/IDS (First hop from WAN) and Cisco NAT (Second hop from WAN).

i kinda like #2 cuz it lets you inspect the traffic before handing it over to the Cisco... this would allow you to do more thorough analysis of intrusion attempts IMHO...

just my ...

PS: another thing you could do is use only the Linux box for NAT/IDS, which would allow you to use the Cisco router somewhere else... then again, this might not be an option for you...

Last edited by win32sux; 06-19-2006 at 01:23 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall & IDS GUI alerts on KDE: I want them! AvatarofVirgo Linux - Security 2 02-22-2005 07:38 PM
Need IDS if using IPtables/Firewall?? schteelhead Linux - Security 1 11-06-2004 12:28 PM
Stealth Firewall, IDS, and syslog server? OlRoy Linux - Security 8 11-08-2003 04:10 PM
help about IDS and firewall Babba Linux - Security 2 02-11-2003 05:35 AM
GUI Firewall/IDS netmatrix0 Linux - Security 7 12-07-2002 09:18 PM


All times are GMT -5. The time now is 02:40 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration