This is not so much Ubuntu-specific questions, but general Linux networking and security questions. I came to this forum because it seems my questions have a better chance of getting answered, and it's for security purposes.
I'm in the process of setting up a security server on my home network to do some packet analysis, security scanning, bandwidth monitoring, etc. There are some limitations to the layout of my network that I've worked through, and after some Googling, I think I've come up with a solution. However, there are some things about Linux that I'm not familiar enough with and wanted to get some questions answered and general feedback.
I'm running off a DSL connection with a static IP. Currently I have a Netgear Wireless N router working as my border router, handling the DSL connection, DHCP server, and stateful firewall. From here a cable runs to an upstair switch in my office closet, which has 2 Windows 7 desktops, a Raspberry Pi, and an Ubuntu server. A Roku from my son's bedroom also connects to the switch. Pretty much all other devices are connected via wireless (two more Rokus, a smart TV, a few iDevices).
I'd like to capture all inbound and outbound traffic on my border router, and send it to the Ubuntu server upstairs. I have a spare Buffalo Wireless G router running TomatoUSB, and I discovered (via Google) that it can handle port mirroring using iptables to redirect in- and outbound traffic to another system:
I'm not really familiar with iptables, but after reading some documentation I got the gist about what's going on with the above commands. However, one question I have is, would the above command create a "feedback loop" if the mirrored traffic was sent out the same interface that was being mirrored? In other words, the interface sees traffic on eth0, mirrors it out eth0, which is seen on eth0, which is mirrored again out eth0, etc, etc, etc until something catastrophically fails.Code:iptables -t mangle -A PREROUTING -j TEE --gateway x.x.x.x iptables -t mangle -A POSTROUTING -j TEE --gateway x.x.x.x
Secondly, the Ubuntu server has 3 interfaces on it, 2 of which are unused. Preferably I'd like to send the mirrored traffic to one of the unused interfaces. How do I set it up so that this interface would essentially be a "dumb" interface - nothing goes out of it, it's just used for receiving the mirrored data? And does it need to be in promiscuous mode?
I've attached a rough drawing of my proposed design for feedback. So far I have nmap and OpenVAS (+ Greenbone Security Assistant) running on it. I've used Snort in the past, so will probably use that for security monitoring. I'm still looking at bandwidth monitoring applications.
Any feedback or suggestions are welcome.
Thanks
Coogan
Bookmarks