Guide to Turning Ubuntu 22.04 into a Router and Firewall

1. Installing Essential Packages

Step 1: Update the System

Before any package installation, update the package list and upgrade your existing packages:

sudo apt update && sudo apt upgrade -y

• Explanation: This ensures that the system is up-to-date and avoids compatibility issues during installations.

Step 2: Install Network Tools

You'll need networking tools like net-tools, iproute2, and iptables for network configuration and troubleshooting.

sudo apt install -y net-tools iproute2 iptables

• net-tools: Provides commands like ifconfig, netstat, and others for managing network interfaces.
• iproute2: Provides utilities such as ip, ss, and tc for advanced network configuration.
• iptables: Manages firewall rules at a lower level (used internally by UFW).

2. Installing Required Packages

Step 1: Install UFW (Uncomplicated Firewall)

UFW simplifies the process of managing iptables rules.

sudo apt install -y ufw

• Explanation: UFW is a user-friendly firewall that allows easy management of network traffic.

Step 2: Enable Packet Forwarding (Router Functionality)

To allow routing between network interfaces, enable packet forwarding.

1. Open the sysctl configuration file:

sudo vim /etc/sysctl.conf

2. Uncomment the line #net.ipv4.ip_forward=1 by removing the #:

net.ipv4.ip_forward=1

3. Apply the changes:

sudo sysctl -p

• Explanation: IP forwarding allows the system to route traffic between different network interfaces (e.g., LAN and WAN).

• Troubleshooting: To verify forwarding, run:

  sysctl net.ipv4.ip_forward

Step 3: Install DNSMasq (Optional)

For DNS and DHCP services, you can install dnsmasq.

sudo apt install -y dnsmasq

• Explanation: dnsmasq provides lightweight DNS and DHCP services. This is optional if you're not using another DNS/DHCP server.

3. Configuring the Firewall with UFW

Step 1: Set Default Policies

Set default policies to control traffic:

sudo ufw default deny incoming
sudo ufw default allow outgoing

• Explanation: Denies all incoming traffic by default and allows all outgoing traffic, only allowing specific services you configure.

Step 2: Allow Important Services

To ensure access to necessary services, allow the following ports:

• Allow SSH (for remote management):

  sudo ufw allow ssh

• Allow HTTP (for web traffic):

  sudo ufw allow http

• Allow HTTPS (secure web traffic):

  sudo ufw allow https

• Allow OpenVPN (for VPN services):

  sudo ufw allow 1194/udp

• Allow Prometheus (for monitoring):

  sudo ufw allow 9090/tcp

• Allow Grafana (for monitoring dashboards):

  sudo ufw allow 3000/tcp

• Explanation: These rules allow access to SSH (port 22), HTTP (port 80), HTTPS (port 443), OpenVPN (port 1194), Prometheus (port 9090), and Grafana (port 3000). Adjust these according to your specific service needs.

Step 3: Allow Forwarding Between Interfaces

If you are using multiple network interfaces (e.g., eth0 for WAN, eth1 for LAN), you need to configure UFW to allow traffic between them:

sudo ufw allow in on eth1
sudo ufw allow out on eth0

1. Edit the UFW configuration file to allow forwarding of packets:

   sudo vim /etc/default/ufw

2. Set DEFAULT_FORWARD_POLICY to ACCEPT:

   DEFAULT_FORWARD_POLICY="ACCEPT"

• Explanation: This configuration allows packets to be forwarded between internal and external interfaces, enabling routing.

Step 4: Apply NAT (Network Address Translation)

To route traffic from your local network to the internet, you need to set up NAT:

1. Edit the UFW configuration file:

   sudo vim /etc/ufw/before.rules

2. Add the following NAT rule before the *filter line (replace eth0 with your external interface):

   *nat
   :POSTROUTING ACCEPT [0:0]
    
   # Forward traffic from eth1 to eth0
   -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
    
   COMMIT

• Explanation: This rule ensures that traffic from the internal network (192.168.1.0/24) is properly NATed when it goes through the external interface (eth0).

Step 5: Enable UFW

Once you've configured your firewall, enable it:

sudo ufw enable

• Explanation: This turns on UFW with the rules you've set up.
• Best Practice: Use sudo ufw status to verify your rules and ensure UFW is configured correctly.

4. Troubleshooting

1. No Internet Connectivity

• Check NAT configuration: Verify that the NAT rule is set up correctly in /etc/ufw/before.rules.
• Verify packet forwarding: Run sysctl net.ipv4.ip_forward to confirm packet forwarding is enabled.
• Check UFW status: Use sudo ufw status verbose to check the active rules.

2. UFW Fails to Start

• Inspect log files: View UFW logs for errors:

  sudo journalctl -xe | grep ufw
• Invalid Rules: Check /etc/ufw/before.rules for syntax errors.

3. Routing Not Working

• Check interface configuration: Ensure that network interfaces (eth0, eth1) are configured correctly.
• Verify firewall rules: Use sudo iptables -L -v to check the active UFW rules for forwarding and NAT.

4. DNS Not Resolving (If Using DNSMasq)

• Check DNSMasq logs: View the logs:

  sudo tail -f /var/log/syslog | grep dnsmasq

Ubuntu 22.04 Router and Firewall Setup: IP Forwarding and NAT with iptables

Now We’ll focus on configuring IP forwarding, enabling IP forwarding, setting up NAT (Network Address Translation) with iptables, adding NAT rules to iptables, and saving the iptables rules.

1. Configuring IP Forwarding

IP forwarding allows your system to forward network traffic from one network interface to another. It’s essential for a router setup.

Check Current IP Forwarding Status

Before enabling IP forwarding, check its current status.

cat /proc/sys/net/ipv4/ip_forward

If the output is 0, it means IP forwarding is disabled.

Enable IP Forwarding Temporarily

To enable IP forwarding temporarily (until the next reboot):

sudo sysctl -w net.ipv4.ip_forward=1

Enable IP Forwarding Permanently

To make the change persistent across reboots:

1. Open the sysctl configuration file:

   sudo vim /etc/sysctl.conf

2. Find the line that reads #net.ipv4.ip_forward=1 and remove the # to uncomment it:

   net.ipv4.ip_forward=1

3. Apply the changes:

   sudo sysctl -p

Now IP forwarding will remain enabled even after a reboot.

2. Enabling IP Forwarding

Enabling IP forwarding allows Ubuntu to pass traffic between different network interfaces, a critical step for turning the system into a router.

Verify IP Forwarding Configuration

After applying the above steps, verify that IP forwarding is enabled using the following command:

sysctl net.ipv4.ip_forward

The output should be:

net.ipv4.ip_forward = 1

This confirms that IP forwarding is active.

3. Configuring NAT with iptables

Network Address Translation (NAT) is used to modify network packet headers, allowing multiple devices to share a single public IP address.

Identify Your Network Interfaces

Identify which interface is connected to the public network (WAN) and which is connected to the internal network (LAN).

Use the following command to list interfaces:

ip a

For example, assume:

• eth0 is connected to the WAN (public network)
• eth1 is connected to the LAN (private network)

Enable NAT with iptables

To enable NAT, you need to set up iptables rules to forward traffic from the LAN (eth1) to the WAN (eth0):

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This command tells iptables to perform source NAT (SNAT) on traffic leaving eth0 by modifying the source IP address to the public IP.

4. Adding NAT Rules to iptables

We can add more rules to allow forwarding of traffic between LAN and WAN.

Forward Traffic from LAN to WAN

To allow traffic forwarding between your LAN (eth1) and WAN (eth0), add the following rule:

sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

This rule allows forwarding from your internal network interface (eth1) to the external one (eth0).

Allow Response Traffic

To allow response traffic coming back from the internet to your LAN:

sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

This rule ensures that only packets related to previously allowed connections are forwarded.

5. Saving iptables Rules

iptables rules will not persist after a reboot unless you save them. Here’s how you can save and restore them.

Save iptables Rules

To save the current iptables rules, use the following command:

sudo iptables-save | sudo tee /etc/iptables/rules.v4

This command saves the iptables configuration to a file so it will be restored upon reboot.

Ensure iptables Rules Are Restored After Reboot

To make sure iptables rules are restored after reboot, you’ll need to install iptables-persistent:

sudo apt-get install iptables-persistent

During installation, you’ll be prompted to save the current rules. Choose "Yes."

Alternatively, to reload rules manually at any time:

sudo iptables-restore < /etc/iptables/rules.v4

Troubleshooting

1. IP Forwarding Not Working

   • Ensure IP forwarding is enabled by checking /proc/sys/net/ipv4/ip_forward.
   • Verify that sysctl.conf has net.ipv4.ip_forward=1 uncommented and the changes have been applied using sysctl -p.

2. No Internet Access for LAN Devices

   • Ensure the NAT rule is properly set on the WAN interface (eth0 in our example) using the iptables -t nat -L command to list NAT rules.
   • Verify the FORWARD chain rules allow forwarding between the LAN and WAN interfaces.

3. iptables Rules Not Persisting After Reboot

   • Ensure iptables-persistent is installed and configured to save and restore rules automatically.
   • Use sudo iptables-save and sudo iptables-restore to manually save and reload rules.

4. Network Performance Issues

   • Check network interface configurations using ip a to ensure they are correctly set up.
   • Monitor packet drops and errors using ifconfig or ip -s link for potential hardware or driver issues.

This guide provides a robust framework for configuring Ubuntu 22.04 as a router and firewall. The steps are customizable depending on your specific network environment.

Configuring OpenVPN

We will cover how to configure OpenVPN, generate certificates using Easy-RSA, set up server and client certificates, configure the OpenVPN server, and start and enable the OpenVPN service.

Install OpenVPN and Easy-RSA

Command Steps

sudo apt update
sudo apt install openvpn easy-rsa

Explanation: This installs OpenVPN and the Easy-RSA package. Easy-RSA is used to generate the necessary certificates and keys for OpenVPN.

Generate OpenVPN Certificates and Keys Using Easy-RSA

Easy-RSA simplifies the process of generating and managing the certificates needed for secure OpenVPN connections.

Command Steps

1. Set Up Easy-RSA Directory:

make-cadir ~/openvpn-ca
cd ~/openvpn-ca

Explanation: make-cadir creates a new directory for Easy-RSA, and we navigate into it.

2. Configure Easy-RSA Variables:

Edit the vars file to customize the certificate details:

vim ~/openvpn-ca/vars

Modify these lines with appropriate values:

export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="MyOrganization"
export KEY_EMAIL="email@example.com"
export KEY_OU="MyOrganizationalUnit"
export KEY_NAME="server"

Explanation: These variables define the default certificate settings, such as country and organization.

3. Generate Certificate Authority (CA):

source vars
./clean-all
./build-ca

Explanation: This command generates a new Certificate Authority (CA). The clean-all command clears any previous configurations to avoid conflicts.

Generate Server and Client Certificates

Command Steps

1. Create the Server Certificate and Key:

./build-key-server server

Explanation: This generates the server certificate and key. The "Common Name" will be server, and you will be prompted to confirm the details. Type "y" when asked to sign and commit the certificate.

2. Generate Diffie-Hellman Parameters:

./build-dh

Explanation: Diffie-Hellman parameters are necessary for key exchange during the encryption process.

3. Generate Client Certificate and Key:

For each client, repeat this command, replacing client1 with the desired client name:

./build-key client1

Explanation: Each client needs its own certificate and key to connect securely to the VPN.

4. Generate a TLS Key:

openvpn --genkey --secret keys/ta.key

Explanation: The TLS key helps to protect the OpenVPN server from denial-of-service (DoS) attacks.

OpenVPN Server Configuration

Command Steps

1. Copy Sample Configuration File:

sudo cp /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz /etc/openvpn/
cd /etc/openvpn
sudo gzip -d server.conf.gz

Explanation: The sample configuration file provided by OpenVPN is used as a template for setting up the server.

2. Edit the Server Configuration:

Open the configuration file for editing:

sudo vim /etc/openvpn/server.conf

Look for the following lines and modify them as needed:

ca ca.crt
cert server.crt
key server.key
dh dh.pem
tls-auth ta.key 0
cipher AES-256-CBC

Explanation: These lines specify the paths to the certificates, keys, and encryption cipher to use.

3. Configure IP Forwarding:

Edit the /etc/sysctl.conf file to enable IP forwarding:

sudo vim /etc/sysctl.conf

Uncomment the following line:

net.ipv4.ip_forward=1

Apply the change:

sudo sysctl -p

Explanation: IP forwarding must be enabled for OpenVPN to route traffic between the VPN clients and the wider internet.

Start OpenVPN and Enable the Service

Command Steps

1. Start the OpenVPN Service:

sudo systemctl start openvpn@server

Explanation: This command starts the OpenVPN server using the configuration in /etc/openvpn/server.conf.

2. Enable OpenVPN on Boot:

sudo systemctl enable openvpn@server

Explanation: This ensures that the OpenVPN service starts automatically when the server reboots.

Best Practices

1. Use Strong Encryption:

   • Always choose strong encryption protocols (such as AES-256) and avoid outdated or weak ciphers.

2. Monitor Logs:

   • Regularly monitor OpenVPN logs to identify any connection or security issues:

   sudo tail -f /var/log/syslog | grep openvpn

3. Update OpenVPN and Packages:

   • Regularly update OpenVPN and the operating system to protect against vulnerabilities:

   sudo apt update && sudo apt upgrade

Troubleshooting

1. Check OpenVPN Status:

sudo systemctl status openvpn@server

• Failed to Start:

  • Check the log file for more information:

    sudo journalctl -u openvpn@server

  • Common causes include incorrect file paths for certificates or keys in the configuration file.

2. Client Cannot Connect:
   • Ensure the client's certificate is properly generated and installed.
   • Verify that the OpenVPN server is accessible on the correct port (usually UDP 1194).
3. DNS Issues:

   • If clients cannot resolve domain names after connecting, ensure DNS servers are properly configured in the OpenVPN server configuration.

   • Add this to /etc/openvpn/server.conf to push DNS settings to clients:

     push "dhcp-option DNS 8.8.8.8"
     push "dhcp-option DNS 8.8.4.4"

VPN Client Configuration: Setting up OpenVPN Client on Ubuntu 22.04

Step 1: Install OpenVPN on the Client Machine

To start, you need to install OpenVPN on the client machine.

Command Steps:

sudo apt update
sudo apt install openvpn

Step 2: Create OpenVPN Client Configuration

You will need to create a .ovpn configuration file on the client machine. This configuration file contains all the details required for the client to connect to the OpenVPN server.

Command Steps:

1. Navigate to the Directory for Configurations
   On the server where the OpenVPN configuration resides, navigate to the directory where the server’s configuration and certificates are stored.

   cd /etc/openvpn

2. Copy Example Client Configuration File
   If an example client configuration file is provided (typically named client.conf or client.ovpn), copy it:

   cp /usr/share/doc/openvpn/examples/sample-config-files/client.conf /etc/openvpn/client/client.ovpn

3. Edit the Client Configuration
   Open the client configuration file in a text editor such as vim:

   vim /etc/openvpn/client/client.ovpn

   Modify the following fields according to your server settings:

   • remote SERVER_IP PORT: Replace SERVER_IP with the public IP address or hostname of your OpenVPN server, and PORT with the port OpenVPN is using (default: 1194).
   • proto: Make sure this matches the protocol you set on the server (either udp or tcp).
   • ca, cert, and key paths: Update the paths to the client's certificates and keys that you'll transfer to the client machine.

   Example:

   remote your-server-ip 1194
   proto udp
   dev tun
   ca ca.crt
   cert client.crt
   key client.key

   Make sure you include the client certificate, key, and server CA certificate in the .ovpn file if you're using inline certificates.

4. Add Certificates and Keys to Client Configuration (Optional)
   If you want to use inline certificates and keys within the .ovpn file (rather than separate files), include them directly in the client configuration file:

   • Add the CA certificate:

     <ca>
     # Paste the content of the ca.crt file here
     </ca>

   • Add the client certificate:

     <cert>
     # Paste the content of the client.crt file here
     </cert>

   • Add the client key:

     <key>
     # Paste the content of the client.key file here
     </key>

   Save and close the file (Ctrl + X, then Y, then Enter to save and exit in vim).

Step 3: Transfer Client Configuration Files

Now, transfer the .ovpn file and the necessary certificates and keys (if not included inline) to your OpenVPN client machine.

Command Steps:

1. Using SCP (Secure Copy)

   scp /etc/openvpn/client/client.ovpn username@client-ip:/path/to/destination/

   Replace username@client-ip:/path/to/destination/ with the username and IP of the client machine and the desired destination path.

2. Using USB or Other Method
   Alternatively, you can use a USB drive, FTP, or another transfer method to move the configuration files.

Step 4: Connect to the OpenVPN Server

Once the configuration file is on the client machine, start the VPN connection.

Command Steps:

1. Start OpenVPN
   Run the following command on the client machine:

   sudo openvpn --config /path/to/client.ovpn

2. Verify the VPN Connection
   Once OpenVPN connects, verify that the VPN tunnel has been created. You should see Initialization Sequence Completed in the terminal, indicating that the VPN connection is successful.

   • Check the VPN interface with:

     ip a
   • You should see a new tun0 interface or something similar, depending on your configuration.

Step 5: Auto-Start the VPN on Boot (Optional)

You can configure OpenVPN to start automatically on boot for ease of use.

Command Steps:

1. Move the Configuration File to OpenVPN Directory
   Copy the client configuration file to the OpenVPN directory:

   sudo cp /path/to/client.ovpn /etc/openvpn/client.conf

2. Enable the OpenVPN Service
   Enable the OpenVPN service to start at boot:

   sudo systemctl enable openvpn@client

3. Start the OpenVPN Client Service
   Start the OpenVPN service immediately:

   sudo systemctl start openvpn@client

Troubleshooting Section

Here are some common issues you might encounter during the configuration and how to resolve them:

1. Client Can't Connect to the Server

• Check Firewall Rules: Ensure that the firewall on the server allows the OpenVPN port (default: 1194).

  sudo ufw allow 1194/udp
• Check Server Status: Verify the OpenVPN server is running:

  sudo systemctl status openvpn@server

2. Initialization Sequence Failed

• Invalid Configuration: Double-check the configuration file on the client, especially the IP address, port, and certificate paths.
• Check Logs: OpenVPN logs can provide more insight into the issue:

  sudo journalctl -xe -u openvpn@client

3. VPN Connection Drops or is Unstable

• Network Configuration: Verify that your network interface and routing settings are properly configured.
• MTU Issues: Sometimes, incorrect MTU values can cause packet loss or instability. Add the following to your client configuration:

  tun-mtu 1500
  mssfix 1450

4. Client Cannot Access Local Network

• Ensure that IP forwarding is enabled on the OpenVPN server:

  sudo sysctl -w net.ipv4.ip_forward=1

Also, check that the necessary firewall and routing rules are in place on the server.

Best Practices for VPN Client Configuration

• Use Strong Encryption: Ensure you're using strong ciphers in both the client and server configurations for security. Example:

  cipher AES-256-CBC

• Use Inline Certificates: It's often more convenient and secure to embed the CA certificate, client certificate, and key directly into the client .ovpn file.

• Monitor Logs: Regularly check both client and server logs for errors or suspicious activity.

With these steps, you should have a functional OpenVPN client setup connecting to your Ubuntu 22.04 router/firewall!

Comprehensive Guide: Configuring IDS/IPS with Snort and Suricata on Ubuntu 22.04

1. Introduction to IDS and IPS

• Intrusion Detection System (IDS): Monitors network traffic for suspicious activity, logging it or alerting the administrator.
• Intrusion Prevention System (IPS): Proactively blocks suspicious activity based on predefined rules.

2. Installing and Configuring Snort

Snort is an open-source IDS/IPS tool that performs real-time traffic analysis and packet logging.

2.1 Install Snort

Snort can be installed from Ubuntu's repositories or via source. In this guide, we will use the Ubuntu repository for simplicity.

sudo apt install snort

2.2 Configuring Snort

After installation, you need to configure Snort with the appropriate network interfaces and rules.

1. Locate and edit the Snort configuration file:

sudo vim /etc/snort/snort.conf

2. Set your network variables:
   • Define the IP range of your internal network by locating and modifying the ipvar HOME_NET line.

ipvar HOME_NET 192.168.1.0/24

• Set the external network (EXTERNAL_NET) to all non-home network addresses:

ipvar EXTERNAL_NET !$HOME_NET

2.3 Downloading and Configuring Snort Rules

1. Download the Snort community rules:

sudo wget https://www.snort.org/downloads/community/community-rules.tar.gz

2. Extract the rules:

sudo tar -xvzf community-rules.tar.gz -C /etc/snort/rules

3. Update the Snort configuration to include the new rules:
   • Add the rules directory path in snort.conf by adding or modifying this line:

include /etc/snort/rules/community.rules

2.4 Running Snort

1. Test your Snort configuration:

sudo snort -T -i eth0 -c /etc/snort/snort.conf

2. Start Snort in IDS mode:

sudo snort -A console -q -c /etc/snort/snort.conf -i eth0

This command runs Snort and outputs alerts to the console based on traffic passing through the eth0 interface.

3. Installing and Configuring Suricata

Suricata is a high-performance IDS/IPS with multi-threading support, which complements or can replace Snort in some setups.

3.1 Install Suricata

Install Suricata using the apt package manager:

sudo apt install suricata

3.2 Configuring Suricata

1. Edit the Suricata configuration file:

sudo vim /etc/suricata/suricata.yaml

2. Set your network variables:
   • Edit the HOME_NET variable in the Suricata configuration to reflect your internal network:

vars:
  address-groups:
    HOME_NET: "[192.168.1.0/24]"

3.3 Downloading Suricata Rules

1. Install the Suricata rule manager (suricata-update):

sudo apt install python3-pip
sudo pip3 install suricata-update

2. Update the Suricata rules:

sudo suricata-update

3. Check the rules loaded into Suricata:

sudo suricata -T -c /etc/suricata/suricata.yaml -v

3.4 Running Suricata in IDS or IPS Mode

1. To run Suricata in IDS mode (detect-only):

sudo suricata -c /etc/suricata/suricata.yaml -i eth0

2. To run Suricata in IPS mode (detect and prevent):

First, configure your network interfaces to use Suricata as a bridge:

sudo ip link set eth0 promisc on
sudo ip link set eth1 promisc on
sudo brctl addbr br0
sudo brctl addif br0 eth0 eth1
sudo ip link set br0 up

Then, run Suricata in IPS mode:

sudo suricata -c /etc/suricata/suricata.yaml --af-packet -D

This command tells Suricata to operate as an inline IPS using AF_PACKET sockets.

4. Best Practices

• Rule Management: Regularly update both Snort and Suricata rules to ensure that your IDS/IPS remains effective against emerging threats.
• Monitor Performance: Ensure that your system resources (CPU, memory, disk I/O) are sufficient to handle the load, especially if running in IPS mode.
• Test the Configuration: Periodically simulate attacks or run vulnerability assessments to ensure the IDS/IPS is functioning as expected.
• Logging and Alerts: Integrate with logging tools like syslog, ELK Stack, or Grafana to store and visualize alerts efficiently.
• Backup Configuration Files: Always keep backup copies of your configuration and rule files to quickly restore settings if something goes wrong.

5. Troubleshooting Section

5.1 Snort Fails to Start

• Error: "Can't find pcap library"
  Ensure that libpcap is installed:

  sudo apt install libpcap-dev

• Error: "No rules found to load"
  Verify that the rules are correctly placed in the /etc/snort/rules directory and the snort.conf file is pointing to the correct location.

5.2 Suricata Fails to Start

• Error: "Can't set promiscuous mode on interface"
  Make sure the interface exists and is up:

  sudo ip link set eth0 up

  Also, verify that no other application is using the same interface in promiscuous mode.

5.3 Performance Issues

• High CPU Usage
  Both Snort and Suricata can be resource-intensive, especially in IPS mode. Consider tuning the number of threads used by Suricata by modifying the suricata.yaml configuration:

  threading:
    set-cpu-affinity: yes

• Slow Network Throughput
  IPS mode may slow down traffic if the system cannot process packets fast enough. Try adjusting Suricata's af-packet settings in /etc/suricata/suricata.yaml to optimize packet processing performance:

  af-packet:
    - interface: eth0
      threads: 4
      defrag: yes

5.4 No Alerts Being Triggered

• Incorrect Network Variables
  Check that the HOME_NET and EXTERNAL_NET variables in both Snort and Suricata are set correctly for your network environment.

• Insufficient Rules
  Ensure that you have appropriate rules downloaded and loaded into your IDS/IPS. If rules are too lenient or outdated, threats may not be detected.

5.5 Log Analysis

• Snort Logs
  Snort logs are typically found in /var/log/snort. You can inspect the alert logs:

  sudo tail -f /var/log/snort/alert

• Suricata Logs
  Suricata logs are stored in /var/log/suricata. You can inspect alerts:

  sudo tail -f /var/log/suricata/fast.log

Conclusion

By setting up Snort and Suricata as IDS/IPS systems, you have added a robust layer of network security to your Ubuntu 22.04 router/firewall setup. Regular updates, performance monitoring, and vigilant rule management will ensure that your network remains protected from emerging threats.