Deploy IPTABLES with NAT and SURICATA IDS on CentOS 7

IPTABLES with NAT and SURICATA IDS on CentOS 7

In this how to we will look into setting up perimeter firewall on the budget. We will make sure IPTABLES forwards all packets to NFQUEUE for scanning. Nat rules will also be setup to forward packets to internal network from outside.

1. Enable routing

vi /etc/sysctl.conf and net.ipv4.ip_forward = 1
sysctl -p /etc/sysctl.conf

2. Configure Network interfaces
INTERNET facing

TYPE=Ethernet
BOOTPROTO=static
IPADDR=x.x.x.x   # note: this will be your public facing IP address
PREFIX=x
GATEWAY=x.x.x.x
DNS1=x.x.x.x
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=eth0
DEVICE=eth0
ONBOOT=yes

internal facing

TYPE=Ethernet
BOOTPROTO=static
IPADDR=x.x.x.x  # note: this will be your private ip address 
PREFIX=24
IPV4_FAILURE_FATAL=no
NAME=eth1
DEVICE=eth1
ONBOOT=yes

3. We will disable firewalld and enable iptables

systemctl disable firewalld
systemctl stop firewalld
systemctl mask firewalld
yum install iptables-services

4. Install SURICATA (at this time the latest version is 2.0.10)

a. yum -y install gcc libpcap-devel pcre-devel libyaml-devel file-devel \
   zlib-devel jansson-devel nss-devel libcap-ng-devel libnet-devel
b. yum install epel-release
c. yum -y install libnetfilter_queue-devel
d. wget http://www.openinfosecfoundation.org/download/suricata-2.0.10.tar.gz
   tar -xvzf suricata-2.0.10.tar.gz
   cd suricata-2.0.10
e. ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc -localstatedir=/var
f. make
   make install
   ldconfig
g. mkdir /var/log/suricata
h. mkdir /etc/suricata
j. cp classification.config /etc/suricata
   cp reference.config /etc/suricata
   cp suricata.yaml /etc/suricata
k. wget http://prdownloads.sourceforge.net/oinkmaster/oinkmaster-2.0.tar.gz
l. mkdir /etc/oinkmaster
m. tar xvf oinkmaster-2.0.tar.gz
n. mv oinkmaster-2.0/* /etc/oinkmaster/
o. yum install perl
p. edit /etc/oinkmaster/oinkmaster.conf and add below to the bottom
url = http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz
q. mkdir /etc/suricata/rules
    /etc/oinkmaster/oinkmaster.pl -C /etc/oinkmaster/oinkmaster.conf -o /etc/suricata/rules

EXAMPLE OF BASIC IPTABLES RULES

iptables --flush
iptables --delete-chain
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
# drop deny everything accept outgoing
iptables -P INPUT DROP
iptables -P FORWARD DROP
# allow OUTSIDE FACING routing from internal interface
iptables -A FORWARD -i ens7 -j ACCEPT
iptables -A FORWARD -o ens7 -j ACCEPT

# open ssh port to administer
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
#drop all at the end of input chain
iptables -A INPUT -j DROP
# outgoing snat to allow going out
iptables -t nat -A POSTROUTING -s X.X.X.X/X -j SNAT --to X.X.X.X
# incomming nat rules

iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 222 -j DNAT --to X.X.X.X:222
iptables -t nat -A PREROUTING -d X.X.X.X -p tcp --dport 80 -j DNAT --to X.X.X.X:80

##############
# nfq enable #
##############
iptables -I FORWARD -j NFQUEUE

START SURICATA

suricata -c /etc/suricata/suricata.yaml -q 0 &

Example: SURICATA in IPS MODE

vi /etc/suricata/suricata.yaml
default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules any any (msg:"SITE is blocked"; content:"SITE.com"; http_header; nocase; classtype:policy-violation; sid:1;)

Example: only forward port 80

sudo iptables -I INPUT -p tcp --sport 80 -j NFQUEUE
sudo iptables -I OUTPUT -p tcp --dport 80 -j NFQUEUE

Example: create your own rules
Add local.rules to the rules to be loaded by Suricata:

default-rule-path: /etc/suricata/rules/
rule-files:
- local.rules
- emerging-ftp.rules
- emerging-policy.rules

Create local.rules in /etc/suricata/rules/ using a text editor. Add on a single line:

drop tcp any any -> any any (msg:"facebook is blocked"; content:"facebook.com"; http_header; nocase; classtype:policy-violation; sid:1;)