IPTABLES with NAT and SURICATA IDS on CentOS 7
In this how to we will look into setting up perimeter firewall on the budget. We will make sure IPTABLES forwards all packets to NFQUEUE for scanning. Nat rules will also be setup to forward packets to internal network from outside.
1. Enable routing
vi /etc/sysctl.conf and net.ipv4.ip_forward = 1 sysctl -p /etc/sysctl.conf
2. Configure Network interfaces
INTERNET facing
TYPE=Ethernet BOOTPROTO=static IPADDR=x.x.x.x # note: this will be your public facing IP address PREFIX=x GATEWAY=x.x.x.x DNS1=x.x.x.x DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME=eth0 DEVICE=eth0 ONBOOT=yes
internal facing
TYPE=Ethernet BOOTPROTO=static IPADDR=x.x.x.x # note: this will be your private ip address PREFIX=24 IPV4_FAILURE_FATAL=no NAME=eth1 DEVICE=eth1 ONBOOT=yes
3. We will disable firewalld and enable iptables
systemctl disable firewalld systemctl stop firewalld systemctl mask firewalld yum install iptables-services
4. Install SURICATA (at this time the latest version is 2.0.10)
a. yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \ zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel b. yum install epel-release c. yum -y install libnetfilter_queue-devel d. wget http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz tar -xvzf suricata-2.0.10.tar.gz cd suricata-2.0.10 e. ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -localstatedir=/var f. make make install ldconfig g. mkdir /var/log/suricata h. mkdir /etc/suricata j. cp classification.config /etc/suricata cp reference.config /etc/suricata cp suricata.yaml /etc/suricata k. wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz l. mkdir /etc/oinkmaster m. tar xvf oinkmaster-2.0.tar.gz n. mv oinkmaster-2.0/* /etc/oinkmaster/ o. yum install perl p. edit /etc/oinkmaster/oinkmaster.conf and add below to the bottom url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz q. mkdir /etc/suricata/rules /etc/oinkmaster/oinkmaster.pl -C /etc/oinkmaster/oinkmaster.conf -o /etc/suricata/rules
EXAMPLE OF BASIC IPTABLES RULES
iptables --flush iptables --delete-chain iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain # drop deny everything accept outgoing iptables -P INPUT DROP iptables -P FORWARD DROP # allow OUTSIDE FACING routing from internal interface iptables -A FORWARD -i ens7 -j ACCEPT iptables -A FORWARD -o ens7 -j ACCEPT # open ssh port to administer iptables -A INPUT -p tcp --dport 22 -j ACCEPT #drop all at the end of input chain iptables -A INPUT -j DROP # outgoing snat to allow going out iptables -t nat -A POSTROUTING -s X.X.X.X/X -j SNAT --to X.X.X.X # incomming nat rules iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 222 -j DNAT --to X.X.X.X:222 iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 80 -j DNAT --to X.X.X.X:80 ############## # nfq enable # ############## iptables -I FORWARD -j NFQUEUE
START SURICATA
suricata -c /etc/suricata/suricata.yaml -q 0 &
Example: SURICATA in IPS MODE
vi /etc/suricata/suricata.yaml default-rule-path: /etc/suricata/rules/ rule-files: - local.rules any any (msg:"SITE is blocked"; content:"SITE.com"; http_header; nocase; classtype:policy-violation; sid:1;)
Example: only forward port 80
sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE
Example: create your own rules
Add local.rules to the rules to be loaded by Suricata:
default-rule-path: /etc/suricata/rules/ rule-files: - local.rules - emerging-ftp.rules - emerging-policy.rules
Create local.rules in /etc/suricata/rules/ using a text editor. Add on a single line:
drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook.com"; http_header; nocase; classtype:policy-violation; sid:1;)