IPCop
Similar to Webmin,
IPCop is a 2 part client-server application. IPCop is installed and initially configured on a sever. After this point, if you want to access/further modify
it, the ideal method is from a browser on a separate client machine. To access
it enter http://ipaddress:81 (by default IPCop will
invoke an https session).
Some of IPCops impressive base install features include: secure
https web administration GUI, DHCP Server, Proxying
(Squid), DNS Proxying, Dynamic DNS, Time Server,
Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion Detection
(Snort), ISDN/ADSL device support and VPN (IPSec/PPTP)
functionality. As if these base features were not an astounding enough there
are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering to Anti virus scanning.
Pre-Requisites
for your IPCop
IPCop installation generally runs 25 minutes, and you
can complete it with relatively modest hardware requirements such as a 386
processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if there
is no need for a DMZ). If you plan to utilize caching proxy, IDS or other
add-ons, consider additional horsepower in terms of RAM/Processor.
Architectural
Decisions: Segmentation
One essential consideration you have to make before installing is network
architecture (segmentation/address space). IPCop uses
color-coding system of Red, Green, Blue and
Run through
the simple prompt-based installation. NOTE: These are all very self-explanatory
steps such as selecting your Language. The arrow Keys, Tab and Enter will help
you navigate.
The current
focus remains two-fold: to get your server in the Orange (DMZ) segment of your IPCop Network and opening up the ports on your firewall to allow
web traffic to it.
Orange Network
Requirements
Hosting a Server on a
Dynamic Connection
As you are using a cable
modem that gives your RED IPCop network interface a
dynamic DHCP address, you will need to set up Dynamic DNS services to resolve
to this host via a human usable form, other than IP Address.
Setting up Dynamic DNS
Along with your dynamically
assigned IP address (RED), you will want to use a Dynamic DNS service to be
able to allow external access to your external web/mail. Setting up Dynamic DNS
with IPCop is easily achieved. Simply pick a Dynamic
DNS provider listed in the IPCop DYNDNS settings.
Grouped together in the
Firewall Menu are some of the core functions of IPCop
which controls how traffic flows through the firewall.
These are:
·
External
Access (Controls remote administration of IPCop
from the Internet)
·
Blue
Access (Connecting a Wireless Access Point to IPCop)
In v1.4 there is a new file for users to make their own changes to firewall
rules. Have a look inside the file /etc/rc.d/rc.firewall.local
It is called by /etc/rc.d/rc.firewall,
and for manual use, the usage is:
$ /etc/rc.d/rc.firewall.local {start|stop|reload}
The reload
option was added in v1.4.2, and further modified in v1.4.6, but changes were
not included in Official Updates, to avoid overwriting Users' existing
modifications.
There
are also specific chains for Users' use, called CUSTOMINPUT, CUSTOMOUTPUT
and CUSTOMFORWARD as per version 1.3.
Introduced
in version 1.3, there is also the file /etc/rc.d/rc.local
which is run when IPCop boots,
and can contain your own specific commands to run at boot time, for instance to
setup an internal modem.
Neither
of these files will be affected by Official Updates, and are included in the
set of files saved when you backup the system files.
This
subsection allows you to configure the Port Forwarding settings for IPCop. This is 100% optional, so you may safely ignore this
section if you do not wish to make use of this feature.
Firewalls
prevent externally initiated requests from accessing the protected system.
However, sometimes, this is too strict a situation. For example, if one is
running a web server, then any requests to that web server by users outside the
protected network will be blocked by default.
This
means that only other users on the same internal network can use the web
server. This is not the normal situation for web servers. Most people want outsiders to be able to access the server. This is
where Port Forwarding comes in.
Port
Forwarding is a service that allows limited access to the internal LANs from
outside. When you set up your server, you can choose the receiving or listening ports on the internal network machines. This is
done differently depending on which software is being used. Please refer to the
documentation that came with your servers to set up the ports on those servers.
Once
those receiving ports are ready, you are ready to enter information into the AW
on IPCop. The TCP/UDP
drop down list allows you to choose which protocol this rule will follow. Most
regular servers use TCP. Some game servers and chat servers use UDP. If the
protocol is not specified in the server documentation, then it is usually TCP. Source port is the port to which the outsiders will
connect. In most cases, this will be the standard port for the service being
offered (80 for web servers, 20 for FTP servers, 25 for mail servers, etc.) If
you wish, you may specify a range of ports to forward. To specify a range use
the : character between two port numbers, lowest
number first. Destination IP is the internal IP
address of the server (for example, you may have your web server on
192.168.0.3).
The Port
Forwarding interface was re-written for version 1.3.0. It is quite different
from earlier versions. However, please note that the port numbers used for a
particular service have not changed, and you should still refer to these above.
The
External Access page has NO affect on the GREEN or
How do
you open up external access then? It is combined into the Port Forward page - there
is a field on the page labeled:
'Source
IP, or network (blank for "ALL"):'
This is
the field that controls external access - if you leave it BLANK, your port
forward will be open to ALL INTERNET ADDRESSES.
Alternatively if you put an address or network in there, it will be restricted
to that network or Internet address.
You can
have more than one external address - after you have created the port forward
entry, it will appear in the table. If you wish to add another external
address, click the Red Pencil with the Plus sign next to the entry, the entry
screen at the top of the page will change (it will load values from the port
forward) and allow you to enter an external IP address or network.
When
added you will now notice that there is a new entry under the port forward in
the table.
Other
things to note:
·
We support the GRE protocol.
·
You can have port ranges and wildcards. Valid
wildcards are:
·
* which translates to 1-65535
·
85-* which translates into 85-65535
·
*-500 which translates into 1-500
Valid
characters to separate a port range are : or -. Note that - will be modified to a :
even though it will be displayed as a - on the
screen.
You only
need to enter the first source port, the destination
will be filled in for you.
You can
edit a record by clicking on the Yellow Pencil icon in the Action column, and
until you hit the update button, nothing changes and nothing is lost.
When you
are editing a record, you will see the record highlighted in yellow.
To
delete a record, click on the Trash Can icon on the right hand side of the
Action column.
Ports
ranges cannot overlap each other.
Individual
ports cannot be placed in the middle of a range i.e. if you have 2000-3000
already set up and then try to forward port 2500, it
will give you an error. You cannot forward the same port to several machines.
Reserved
ports - on the main Red Address (DEFAULT IP) some ports are reserved for IPCop to do its business, they are 67, 68, 81, 222, and 445.
When you
edit a port forward, there will be an extra check box labeled 'Override
external access to ALL'. This is used as a quick and dirty way to open a port
to ALL Internet addresses for testing or whatever your reasons. This was a user
request.
If you
have a port forward with multiple external accesses, when you delete all of the
external accesses, the port becomes open to ALL addresses, be careful of this
one.
There is
a Shortcut to enable or disable a port forward or external access - click on the
Enabled icon (the checkbox in the Action column) for
the particular entry you want to enable or disable. The icon changes to an
empty box when a rule is disabled. Click on the checkbox to enable it again. Note: when you disable the port forward, all associated
external accesses are disabled, and when you enable the port forward, all
associated external accesses are enabled.
This
subsection allows you to configure the External Access settings for IPCop machine itself. This is 100% optional, so you may
safely ignore this section if you do not wish to make use of this feature.
From
v1.3.0 onwards, External Access only controls access to the IPCop
box. It has no affect on the Green, Blue or
If you
wish to maintain your IPCop machine remotely, you
should specify TCP port 445, https. If you have enabled ssh access, you can also enable TCP port 222, ssh.
The TCP/UDP drop down list allows you to choose which
protocol this rule will follow. Most regular servers use TCP. If the protocol
is not specified in the server documentation, then it is usually TCP. Source IP is the IP address of an external machine you
give permission to access your firewall. You may leave this blank, which allows
any IP address to connect.
Although
dangerous, this is useful if you want to maintain your machine from anywhere in
the world. However, if you can limit the IP addresses for remote maintenance,
the IP addresses of those machines or networks that are allowed access, should
be listed in this box.
Once you
have entered all the information, click the Enabled
box and press . This
will move the rule to the next section, and list it as an active rule.
Current rules lists the
rules that are in effect. To remove one, click the Trash Can
icon. To edit one, click the Yellow Pencil icon.
To
enable or disable a rule - click on the Enabled icon
(the checkbox in the Action column) for the particular entry you want to enable
or disable. The icon changes to an empty box when a rule is disabled. Click on
the checkbox to enable it again.
This
subsection allows you to configure the DMZ Pinholes settings for IPCop. This is 100% optional, so you may safely ignore this
section if you do not wish to make use of this feature.
This
page will only be visible if
you have installed and configured an
A DMZ or
Demilitarized Zone (Orange zone) is used as a semi-safe interchange point
between the external Red Zone and the internal Green zone. The Green zone has
all your internal machines. The Red zone is the Internet at large. The DMZ
allows them to share servers without allowing undue access to the internal LAN
by those in the Red Zone.
For
example, suppose that your business has a web server. Certainly, you want your
customers (those in the Red zone) to be able to access it. But suppose you also
want your web server to be able to send customer orders to employees in the
Green Zone? In a traditional firewall setup, this wouldn't work, because the
request for access to the Green zone would be initiating from outside the Green
zone. You certainly do not want to give all your customers direct access to the
machines on the Green side, so how can this work? By using
the DMZ and DMZ pinholes.
DMZ
pinholes give machines in the Orange (DMZ) zone limited access to certain ports
on Green machines. Because servers (the machines in the
The TCP/UDP drop down list allows you to choose which
protocol this rule will follow. Most regular servers use TCP. Some game servers
and chat servers use UDP. If the protocol is not specified in the server
documentation, then it is usually TCP. Use the protocol specified on the Port Forwarding page.
Source Net is a drop down menu that shows
the available source networks on the machine.
Source IP is the IP address of the machine
that you wish to give permission to access your internal servers.
Destination Net is a drop down
menu that shows the available networks on the machine.
The Destination IP is the machine in the Green or Blue zone
that will receive the request.
Once you
have entered all the information, click the Enabled
box and press . This
will move the rule to the next section, and list it as an active rule.
Current rules list the rules
that are in effect. To remove one, click the Trash Can
icon. To edit one, click the Yellow Pencil icon.
To
enable or disable a rule - click on the Enabled icon
(the checkbox in the Action column) for the particular entry you want to enable
or disable. The icon changes to an empty box when a rule is disabled. Click on
the checkbox to enable it again.
This
subsection allows you to configure which Wireless Access Points on the Blue
network can connect to IPCop. This is 100% optional,
so you may safely ignore this section if you do not wish to make use of this
feature.
This
page will only be visible if
you have installed and configured a Blue network interface card.
To setup
Blue Access do the following:
1.
Use a supported Ethernet card to setup the Blue
interface.
2.
Connect an Access Point to that Ethernet card. (Use
the LAN Ethernet port on the AP, if you have a choice of ports).
3.
You can use DHCP to serve dynamic or static
addresses on Blue, although static is preferred for security of MAC addresses.
Refer to the DHCP Server section for more
information on configuring static leases.
If you
only need to provide access for http traffic on the Blue network to the
Internet (Red network), just add the IP Address or the MAC Address of the
Wireless Router, or the individual wireless connected devices if you are using
an Access Point, via the web page shown below. You have to enter at least one
MAC or one IP Address per device. Optionally, you can enter both MAC and
IP Address for a device.
An
Access Point behaves like an Ethernet hub, and IPCop
serves out DHCP leases through it to wireless devices. A Wireless Router does
NAT, serves out DHCP on it's own subnet, and has it's
own access controls.
Your
Access Point must support DHCP passthrough if you
want IPCop to serve DHCP leases through it to your
Wireless Network. Not all devices support this feature in Access Point "mode"
(Netgear WG614, for instance).
You will
be able to view IPCop's web interface from a computer
on the Blue network, but you will not be able to connect to the Green network
without some additional work.
To
connect to the Green network from the Blue network, you have to either:
1.
Use the DMZ
Pinholes page and shoot bullet holes through the Blue interface for your
services, or:
2.
Setup a VPN for your road-warriors on Blue to
provide access.
In the Add Device section you input the IP Address or the MAC
Address of a wireless Access Point, or any device on the Blue network that you
want to connect to the Internet through IPCop.
You have
to enter at least one MAC or one IP Address per device.
If you
use DHCP on the Blue Network, and want to allow any device to connect and access
the Red Network, you must add an entry for every IP Address in your DHCP range
to this list. Leave the MAC Address field empty when adding each IP Address.
Conversely,
if you want to restrict access to known devices, add the MAC address of each
device, and leave the IP Address field empty. That will allow listed devices to
connect regardless of the DHCP lease they receive.
Once you
have entered all the information, click the Enabled
box and press . This will
move the entry to the next section, and list it as enabled.
The Devices on Blue section lists the current entries. To
remove one, click the Trash Can icon. To edit one,
click the Yellow Pencil icon.
To
enable or disable an entry, click on the Enabled
icon (to the left of the Yellow Pencil) for the particular entry you want to
enable or disable. The icon changes to an empty box when a device is disabled.
Click the checkbox to enable it again.
If DHCP
is enabled for the Blue network, the Current DHCP leases
on Blue section will be displayed.
This
provides a quick way of adding wireless devices to the list. You just have to
click on the Blue Pencil icon for a device to be
added to the list of enabled devices. You can then edit the entry, if necessary,
by clicking on the Yellow Pencil icon, as before.
This
subsection allows you to configure some firewall behaviour.
This is 100% optional, so you may safely ignore this section if you do not wish
to make use of this feature.
Disable
ping response
·
- IPCop responds to ping requests on any interface.
This is the default behavior.
·
- IPCop does not respond to ping requests on the Red
Interface.
·
- IPCop does not respond to any ping requests on any
interface.
·
To save changes, press the
button.
These are just a few of the options available in IPCop,
in particular they outline how to install and setup IPCop
to be a firewall, and to install a server in the DMZ zone with appropriate
access, how to forward requests through the firewall to the DMZ server, and how
to setup Dynamic DNS for your internet connection.
For detailed information, go to: http://www.ipcop.org/1.4.0/en/admin/html/
and http://www.howtoforge.com/perfect_linux_firewall_ipcop