Building a better Firewall with Ubuntu

Posted: November 9, 2011 in Guides
Tags: , , , ,


The following article will teach you how to build a firewall with Intrusion Detection Prevention Capabilities built in. For this we will be using iptables and the Suricata ID/PS. The following guide is not necessarily for the feint of heart, however so long as you have a basic knowledge of networking and the ability to compile software you shouldn’t get too lost in the sauce.

This guide was written on Ubuntu 10.04.3 LTS however should hold true for 11.04 and 11.10 as well. In this guide we will give two use cases, a host based IPS firewall and a Gateway based IPS. They are equally effective, and it is easy to alternate between the two, as Suricata’s filtering is controlled via an iptables script.

Step 1 : Installing Suricata

Satisfying Dependencies

note : this will satisfy all depencies to build Suricata in inline mode, which is what we will use for our IPS

sudo apt-get update && sudo apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0 make

Download and Compile Suricata

Getting Suricata

tar xvf suricata-1.0.5.tar.gz
cd suricata-1.0.5

Building Suricata in inline mode.

./configure --enable-nfqueue
sudo make install
sudo ldconfig

Configuring Suricata

Setting up Suricata’s directories

sudo mkdir /var/log/suricata
sudo mkdir /etc/suricata

Copy over configuration files

sudo cp ~/suricata-1.0.5/classification.config /etc/suricata
sudo cp ~/suricata-1.0.5/suricata.yaml /etc/suricata

Configure Suricata

Edit the following file : /etc/suricata/suricata.yaml

If you need to change


To something other than the defaults change it now, it is the network which Suricata is on. You can also change


From any, which treats all networks as external including the HOMENET, this is less than conservative and is highly paranoid. However, we will leave the defaults in this case.

Installing Emerging Threats Rules

Emerging threats makes a good set of default rules for an IPS/IDS system. They are snort compatible, as are the rules that Suricata uses.

Prepare the rules directory

sudo mkdir /etc/suricata/rules
cd /etc/suricata/rules

Getting Emerging Threats Rules


Then edit /etc/suricata/suricata.yaml and add the following line under rules-files

 - emerging-all.rules

Step 2 : Configuring iptables to use Suricata

If you want Suricata to filter the traffic through the Intrusion Prevention System you must add the following rules to your iptables script.

iptables -A INPUT -j NFQUEUE
iptables -A OUTPUT -j NFQUEUE

In the case of host based usage for Suricata this will be fine. If you are using Suricata on a gateway you will need the following rule.

iptables -A FORWARD -j NFQUEUE

You can use any standard iptables conventions to limit what goes to Suricata for instance if you only want SSH traffic being filtered by Suricata you could do the following

iptables -A INPUT -p tcp --dport 22 -j NFQUEUE
iptables -A INPUT -j ACCEPT 

Once you have configured your iptables script to utilize Suricata you can start the IPS.

sudo suricata -c suricata.yaml -s /etc/suricata/rules/emerging-all.rules -q 0 -D -i eth0

The following command will start Suricata in daemon mode (-D) on interface eth0 , the -q option tells it that it will be functioning as an IPS. The -c and -s are the configuration and signature files, change these if you are using custom files.

After you’ve started Suricata you’re good to go. Enjoy your IPS.

  1. Carlos says:

    Hi Adam, Would this be ideal for a desktop machine?

    • dangertux says:

      IPS/IDS is more often used on a gateway, or array of sensors in a larger more vital network. However there is no reason you couldn’t use it on a desktop.

      That being said, if you are already barely meeting system requirements for Ubuntu, it may be a bit taxing on your system. Personally (and this is opinion) I consider it overkill for a home machine, but if you are concerned about security it’s a viable option.

      I hope this helps.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s