0

My goal is to setup a firewall & Intrusion Prevention system using Snort. I have a spare pc available with at least 2 physical NIC's, which ran pfSense having a firewall with Snort, but this time I want to do the setup myself. So far I managed to install Debian 9 as a headless system with ssh login (and if really needed I could add a keyboard and screen temporary).

I wanted to start with just a firewall, without Snort.

How to I achieve the following: - is it possible to put the firewall just in between my IPS cable modem router and my LAN? The ISP router has DHCP/NAT enabled, which I can't turn off. - I want to achieve a "plug&play" firewall that I could just put in between, without turning it into a double NAT (which I had before using pfSense). I mean, if possible I don't want to have different networks, eg. a 192.168.x.x one and a for example 10.x.x.x one. - the firewall is headless, logging in via ssh

      Internet
        WAN
         |
         |
      ISP Cable Modem & Router with DCHP
      gateway 192.168.0.1
         |
         |
       [eth0]
      Firewall
       [eth1]
         |                ________ Wireless AP
         |               /
         |_____ Switch__/_________ PC1
                        \
                         \________ ...

I tried to setup a bridge on br0 (via /etc/network/interfaces) adding eth0 and eth1. The bridge had an IP address and it worked fine, where I could still connect to the internet from devices behind the switch via the AP. So I learned bridges don't care about IP addresses.... which doesn't sound good to build a firewall with eventually snort (IPS). I've read about iptables and using the "physical dev". Maybe I'm force to do double NAT and setup routing? The problem is I don't know enough to know what is best and how to go about it. Sure, I've googled (a lot) and found for example on aboutdebian.org articles about proxy/NAT and firewalling... but most articles asume you can have a modem only, but I can't turn off DCHP nor I can configure the range of it. It's always the full 255.255.255.0 range.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
WU7
  • 33
  • 2
  • 5

2 Answers2

0

Nearly all modern combined "modem/routers" have a way to set them up in "bridge mode" or some lexical equivalent which turns off all DCHP, IP Masquerading, wireless access points, and other ancillary malarkey that it looks like you want to do yourself. Consult your modem's manual or ask your ISP if they can either:

  • Reconfigure the modem into Bridge mode for you
  • Provide the documentation for how to do so yourself, or
  • Provide you a new modem which is not as "featureful".

Connect your firewall host directly to the modem using eth0. It will get an actual bona-fide public routeable IP address.

Configure your firewall to use eth0 as the public / WAN interface, and eth1 as the private / LAN interface. Your firewall will also be acting as a router, so you will probably also want to enable DHCP service on eth1 using whichever private IP address space you wish to use.

Network Map

DopeGhoti
  • 73,792
  • 8
  • 97
  • 133
  • Thanks for taking the time to reply. Unfortunately I’ve contacted my ISP already with this question... and they can’t / won’t turn it into bridge mode. I’m only allowed to change the cable-modem/router via their online portal.... which is quote basic. There’s no way to turn of dhcp or choose my own range etc. I had my pfSense installed as firewall/router with double nat (so ending up with separate networks before and after pfSense. – WU7 Jun 12 '18 at 21:32
  • One daythe pfSense upgrade failed, so I had to take it out, which switched the devices from a 10.x.x.x LAN back to a 192.168.x.x network and made me redo their setup and certificates... From what I could google myself it seems I either need to go with a transparant bridge firewall (but probably won’t allow IPS?) or have no other choice than to do double NAT again ending up with different LAN’s or is there a way to route between 2 NIC’s, where devices at either side are in the same subnet, eg. getting their IP via the dhcp from the ISP modem/router? – WU7 Jun 12 '18 at 21:32
  • Would this maybe be what I need to do: http://www.aboutdebian.com/proxy.htm – WU7 Jun 12 '18 at 22:31
0

Seems I’ve found a working solution... maybe trivial once you know it, but keep in mind I didn’t know linux nor much networking. So, here.s what I learned: - you need to use a bridge if you want ‘plug&play’, because it just passes trafic. You could setup a router, but then what comes behind the firewall, needed a different LAN (eg. 10.x.x.x instead of 192.168.x.x). I would also end up with double-NAT and needed to run a DHCP server to provide all devices behind the router/firewall an IP address. So, that why I went with a bridge: no need to change existing setup, but just put the bridge in between.

Now, getting the firewalling at work on a Bridge can be done using IPTABLES. Since a bridge doesn’t look at level 3 (IP), but only at level 2 (MAC address/ethernet frame) I.ve found that using the iptables-extension “physdev” is needed. The man page about it gave me some info.

So far I was able to block a ping or port 80; 443 etc. just for testing.... but it proves this way it would work out ok. Important is to use the FORWARD chain. For example:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out     eth1 -p icmp --icmp-type echo-request -j DROP

Next things to find out: - how to block IPV6... not sure if I need to add rules to IP6TABLES or just disable it all together on the host. In my internal LAN only IPV4 addresses would be needed. Would I miss out anything if I would block/not use IPV6? - check out eptables - get into Snort

... but I feel I got where I wanted to be.

WU7
  • 33
  • 2
  • 5