How to setup a firewall between my ISP cable modem/router and my LAN?
Seems I’ve found a working solution... maybe trivial once you know it, but keep in mind I didn’t know linux nor much networking. So, here.s what I learned: - you need to use a bridge if you want ‘plug&play’, because it just passes trafic. You could setup a router, but then what comes behind the firewall, needed a different LAN (eg. 10.x.x.x instead of 192.168.x.x). I would also end up with double-NAT and needed to run a DHCP server to provide all devices behind the router/firewall an IP address. So, that why I went with a bridge: no need to change existing setup, but just put the bridge in between.
Now, getting the firewalling at work on a Bridge can be done using IPTABLES. Since a bridge doesn’t look at level 3 (IP), but only at level 2 (MAC address/ethernet frame) I.ve found that using the iptables-extension “physdev” is needed. The man page about it gave me some info.
So far I was able to block a ping or port 80; 443 etc. just for testing.... but it proves this way it would work out ok. Important is to use the FORWARD chain. For example:
iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out eth1 -p icmp --icmp-type echo-request -j DROP
Next things to find out: - how to block IPV6... not sure if I need to add rules to IP6TABLES or just disable it all together on the host. In my internal LAN only IPV4 addresses would be needed. Would I miss out anything if I would block/not use IPV6? - check out eptables - get into Snort
... but I feel I got where I wanted to be.
Related videos on Youtube
04 : 16
07 : 00
03 : 42
06 : 49
03 : 27
WU7
Updated on September 18, 2022Comments
-
WU7 over 1 year
My goal is to setup a firewall & Intrusion Prevention system using Snort. I have a spare pc available with at least 2 physical NIC's, which ran pfSense having a firewall with Snort, but this time I want to do the setup myself. So far I managed to install Debian 9 as a headless system with ssh login (and if really needed I could add a keyboard and screen temporary).
I wanted to start with just a firewall, without Snort.
How to I achieve the following: - is it possible to put the firewall just in between my IPS cable modem router and my LAN? The ISP router has DHCP/NAT enabled, which I can't turn off. - I want to achieve a "plug&play" firewall that I could just put in between, without turning it into a double NAT (which I had before using pfSense). I mean, if possible I don't want to have different networks, eg. a 192.168.x.x one and a for example 10.x.x.x one. - the firewall is headless, logging in via ssh
Internet WAN | | ISP Cable Modem & Router with DCHP gateway 192.168.0.1 | | [eth0] Firewall [eth1] | ________ Wireless AP | / |_____ Switch__/_________ PC1 \ \________ ...I tried to setup a bridge on br0 (via /etc/network/interfaces) adding eth0 and eth1. The bridge had an IP address and it worked fine, where I could still connect to the internet from devices behind the switch via the AP. So I learned bridges don't care about IP addresses.... which doesn't sound good to build a firewall with eventually snort (IPS). I've read about iptables and using the "physical dev". Maybe I'm force to do double NAT and setup routing? The problem is I don't know enough to know what is best and how to go about it. Sure, I've googled (a lot) and found for example on aboutdebian.org articles about proxy/NAT and firewalling... but most articles asume you can have a modem only, but I can't turn off DCHP nor I can configure the range of it. It's always the full 255.255.255.0 range.
-
Rui F Ribeiro almost 6 yearsan IDS is passive, and can be setup in a bridge.
-
-
WU7 almost 6 yearsThanks for taking the time to reply. Unfortunately I’ve contacted my ISP already with this question... and they can’t / won’t turn it into bridge mode. I’m only allowed to change the cable-modem/router via their online portal.... which is quote basic. There’s no way to turn of dhcp or choose my own range etc. I had my pfSense installed as firewall/router with double nat (so ending up with separate networks before and after pfSense.
-
WU7 almost 6 yearsOne daythe pfSense upgrade failed, so I had to take it out, which switched the devices from a 10.x.x.x LAN back to a 192.168.x.x network and made me redo their setup and certificates... From what I could google myself it seems I either need to go with a transparant bridge firewall (but probably won’t allow IPS?) or have no other choice than to do double NAT again ending up with different LAN’s or is there a way to route between 2 NIC’s, where devices at either side are in the same subnet, eg. getting their IP via the dhcp from the ISP modem/router?
-
WU7 almost 6 yearsWould this maybe be what I need to do: aboutdebian.com/proxy.htm