Situation
We don’t want our gateway to do anything with non-infected data, so we are going to build a transparent (bridging) gateway, knownas a bridge. A bridge passes all the traffic on OSI-layer 2 between two interfaces, so the clients aren’t able to see the trafficgoing over two interfaces.
On the bridge we’re installing snort_inline, a modified version of snort able to drop maliscious traffic with iptables.

Installing the bridge
If you know what you are doing, creating a bridge isn’t too difficult. To create a bridge between two interfaces (e.g. eth0 and eth1) you need the bridge-utils. In Debian it’s as easy as apt-get install bridge-utils, but I’m sure that your distribution has itpackaged. After installing the bridge-utils it is as easy as these commands:

#create the bridge
brctl addbr br0
#add the interfaces
brctl addif eth0
brctl addif eth1

Notice that we’re not giving the bridge an ip address, because we are going to connect this system directly to the Internet.

Installing snort_inline
Before we install snort_inline, we need to install libpcap, libnet, libipq and libpcre. Also make sure you have the iptables development headers in place. To install snort_inline it is as simple as doing the famous three-command sequence (configure, make, make install) but make sure you solve reported problems first
After installation you need to edit the configfile by hand, look at the examples in the source-directory (some hints: var RULE_PATH, log stuff etc).

Integrading snort_inline and iptables
Before you can use snort_inline to monitor (and block) you’re traffic you need to integrate it with iptables. We do this with theip_queue module, so you need to modprobe the module first. In case your kernel doesn’t provide ip_queue you are in bad luck, you need to recompile the kernel to include ip_queue….
After loading the module it is as easy as the following rule in iptables:

iptables -I FORWARD -p tcp –dport 80 -j QUEUE

The line above pushes all the traffic from and too port 80 in a queue. If you try to surf to the Internet with a box behind the bridge, it won’t work.
Now we start snort_inline:

snort_inline -c /etc/snort_inline/snort_inline.conf -Q -N -t /var/log/snort/ -v

You should be able to surf again.

Converting rules
Normaly snort has ALERT rules, it just alerts you when maliscious traffic is detected. Because we aren’t looking at our logs all the time, we’re going to DROP the traffic if it is maliscious. In the source-directory you see a directory rules, copy this directory to your configdirectory (normaly this is /etc/snort). Make a backup off the directory and run the following script on the backup:

#!/bin/bash
#converting ALERT rules to DROP rules
for file in $(ls -1 *.rules)
do
sed -e ‘s:^alert:drop:g’ ${file} > ${file}.new
mv ${file}.new ${file} -f
done

Make sure you alter your configfile to load the adjusted rules!

That’s all folks!
Remember, all the traffic to port 80 is going through snort_inline, so if snort_inline is stopped the traffic will stop!
To reverse this project, just remove ip_queue and the iptables rules you use to push the traffic through snort_inline!