IPtables + snort = homebrew internet gateway
 

I'm attempting to build an IPS internet gateway by using snort-inline for the IPS and iptables to handle the routing, but I'm having issues getting iptables to work.

I have an MPLS network that is supplying internet out to apartment complexes. This firewall is sit at the head of this network to fish out attacks. I still need to treat this network as insecure. I have 3 nics on the server I am using. One will be the WAN side of the network, the second will be the LAN side, and the third will be a management IP that is on my corporate local network (secured).

What I need to do is to have all traffic entering the LAN nic be directed to the queue for snort to crunch on before being directed out the WAN. Same thing for the WAN to LAN. I need the third NIC to allow complete access from a third network, but never allow any host on the LAN or WAN side onto the private network. Does that make sense?

How do I go about doing this? Do I give the LAN and WAN nics their appropriate IP's, then do some routing with iptables, or do I need to configure a bridge?

Well in general that's all fine. no bridging though, just route through in all three directions and firewall off your management interface with iptables. I mean, you *could* bridge if you want to be transparent, but i'd not see any real reason to do that unless youre immediate routing in neighboring lan segments isn't able to be correctly configure for an additional layer 3 hop. Are you having specific issues with this, or just running it past others?