The Perfect Linux Firewall Part I -- IPCop
Version 2.3
Author: Joseph Guarino
Last edited 02/22/2006

This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic.

This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind!

What is IPCop

The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to the internet community. Its comprehensive web interface, well documented administration guides, and its involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even the firewall feature sets of commercial competitors.

Firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop is exemplary in offering such a range of default features and even further a large set of optional plug-ins which can provide further functionality.

Some of IPCops impressive base install features include: secure https web administration GUI, DHCP Server, Proxying (Squid), DNS Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion Detection (Snort), ISDN/ADSL device support and VPN (IPSec/PPTP) functionality. As if these base features were not an astounding enough there are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering to Anti virus scanning.

Pre-Requisites for Your IPCop
IPCop installation generally runs 25 minutes, and you can complete it with relatively modest hardware requirements such as a 386 processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if there is no need for a DMZ). If you plan to utilize caching proxy, IDS or other add-ons, consider additional horsepower in terms of RAM/Processor.

Building Your IPCop What you need
  • 386 Processor with 32MB RAM, 300MB hard disk and 3 Network Cards
  • 2 x 5 port 10/100/1000 switch or a Layer 3 switch
  • Network Cables
  • Burned ISO CD
IPCop Example Network


Architectural Decisions: Segmentation
One essential consideration you have to make before installing is network architecture (segmentation/address space). IPCop uses color-coding system of Red, Green, Blue and Orange to describe the roles or security levels which an interface/network segment will have in protecting your network. Color coding is logical in that it represents a continuum of network access from restricted to permissive. A RED interface is your untrusted interface/segment like the Internet, whereas Green is the trusted interface/segment of your internal network. Additionally, Blue is for a separate segment for Wireless Devices, while Orange is for a DMZ or where any publicly accessible servers you want available to the Internet. In this case we are only configuring a Green/Red/Orange network installation with 3 network interfaces one of which is your cable broadband providers cable modem (Ethernet).

Understanding and Picking your address space

Before you begin it is important to know how your ISP TCP/IP settings. Does your ISP give you a DHCP address or a static IP address? In many cases simply going to your ISP's Support page offers you this information. Most ISPs use DHCP to dynamically allocate IP address space so you get a non-static IP address that applies to your RED interface. Make note of the TCP/IP setting your ISP would have you use before you install.
In architecting your IPCop solution you have the choice of setting up NAT (Network Address Translation) network address space. Green, Blue and Orange networks depend entirely on how many nodes or machines you will have on each network. There are 3 network spaces defined by the standards body, IETF, that can be used for these NAT'ed networks and they are:

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

If your Green network contains 15 hosts you can use 192.168.1.2-16. Your Green interface will run DHCP and pass out addresses to your internal network in this range. The same logic applies to address space on your Orange or DMZ network select a network space appropriate for the number of hosts/networks you will require.

Installing your IPCop

Verify hardware compatibility at IPCop website.
Download the ISO's and burn them.
Connect all the physical layer i.e. Ethernet cables, hook up your monitor, keyboard and mouse to the machine that will be your IPCop
Boot off the CD.
Run through the simple prompt-based installation. NOTE: These are all very self-explanatory steps such as selecting your Language. The arrow Keys, Tab and Enter will help you navigate.

Install Process
  • Select your language.
  • Select your Installation Medium, a CD in this case.
  • Configure your network cards The fastest way to configure your network interface cards is by selecting Probe option. If you know the network card information you can choose to your exact interface from Select.



Next, when you are asked enter your Green Interface an address which must be within your chosen address space (192.168.1.x in our example). Enter in place 192.168.1.1 in the IP address field.


Following this, IPCop will format and copy itself to your hard drive. See below.


After the install has completed you will be prompted to reboot and run setup as shown. See below.


Initial Setup
Having installed IPCop we now have to enter some further configuration information in setup for our setup to be complete.

  • Enter in Keyboard, Time Zone and Hostname/Domain.
  • ISDN Setup As you are not using ISDN you should select to disable it
  • Network Configuration Type - Select the Interface configuration you will be running by tabbing to Network Configuration Type and hit the Enter key.


In our case you would select Red / Orange / Green.


Since we have 3 interfaces and only have set up Green, repeat the interface setup options for the Red and Orange interfaces as described above.
Configure the RED interface to use DHCP as this is interface connected to the Internet (i.e. Your ISP). Then configure your ORANGE interface to use the 192.168.10.x address space. For Red tab over to the DHCP box and select it by hitting Enter. So if your Green network will contain 15 hosts you can use 192.168.1.2-16. To set this up simply add in this range 192.168.1.2-16 and tab down to OK.




Password Setup - IPCop has 2 users which you will be asked to setup passwords for the root and admin. Set these both to a strong password > 8 character password that is not a word in any language and contains Caps. A good example would be 1luv19c0p. Root password will be used to log on and add any add-ons or upgrades via SSH. Admin user is used to manage your IPCop day to day.

At the end of the IPCop installation you will be asked to reboot. After reboot go to another machine on your LAN and force your network interface card to update your dynamic (DHCP) address with ifconfig (Linux/Unix) or ipconfig (Windows). Verify you are live and active on the new network you have setup with an address on 192.168.1.x. With this validated connect to secure https web interface of IPCop. Type https://192.168.1.1:445 or https://192.168.1.1:81 and log in as the admin user.

Validate all your settings and connectivity. Then check out all the features you get with this great GNU Open Source Firewall. In the second installment of this how to we will discuss setting up a dynamic DNS, filtering email/web/proxing with Copfilter and allowing access to web/mail server of your choice in the DMZ or orange network. Until then go check out the www.IPCop.org website & Happy Hacking!!


Evolutionary IT is an independent provider of systems, network and security solutions. Please do feel free to email comments or suggestions Many thanks for the help of my amazing sister Antonina in editing this article.


2006 Licensed under Creative Commons Attribution-NonCommercial_ShareAlike 2.5

Joseph Guarino -- Evolutionary IT -- www.evolutionaryit.com

Share this page:

49 Comment(s)

Add comment

Comments

From: Anonymous at: 2006-01-19 21:51:25

Just post all of it it would have made for a better read in my opinion. or make both parts available at the same time.

From: Anonymous at: 2006-01-19 19:10:30

This article is a good intro and it got me going on a FOSS project I did not know about. Good stuff!

From: Anonymous at: 2006-02-15 01:25:53

I think the invisible firewall feature of pfsense makes it an interesting addition to an IPCop protected network, especially if the tutorial author could persuaded to publish it on howtoforge.com

From: evolutionaryit at: 2006-02-16 18:22:17

Hello,

Thanks for dropping by. =) Pfsense looks like an interesting project and I am happy to innovation happening in all arenas of free and open source software. My hope is that more firewalls share code and expertise to improve the open firewall options that consumers have.

From: Anonymous at: 2006-01-20 01:17:29

Thank you for taking the time to write this very helpfull tutorial. I hope you'll also cover using ipcop for vpn access on the next tutorial.

From: evolutionaryit at: 2006-01-27 16:28:32

I do appreciate your kind words. =) Maybe I will focus on the VPN side of things in a later series.

From: evolutionaryit at: 2006-02-06 06:41:14

Yeah bro its mine too. =)

From: Anonymous at: 2006-01-20 07:33:39

Good article. I had installed ip-cop long before. Really it is a great free solution. And some add-ons can be applied to ip-cop such as p2p blocking, content filtering and intrusion detection.

From: evolutionaryit at: 2006-01-27 16:41:50

Thanks so much for your kind words. I hope that you get a chance to check out our second installment.

From: Anonymous at: 2006-01-23 06:54:48

I have been using IPCop for several years now and am very happy about it. This article is very well-written and looking forward to its second part. If both the parts are available togehter in a printer-friendly version, its usfulness would increase.

kumaresan

From: admin at: 2006-01-24 11:31:03

Below the howto is a "printer friendly" link.

From: evolutionaryit at: 2006-02-06 06:35:38

Hey,

There is the link below and these will also be on the Internet Archive in the near future once the second installment is completed. For those of you that do not know about the Internet Archive it is please do check it out at http://www.archive.org/.

Thanks,

Joe

From: evolutionaryit at: 2006-01-27 16:26:50

The link will be placed when the series is complete. =)

From: Anonymous at: 2006-01-20 22:51:34

I disagree. I find IPCop to be easy to use and setup but not very extensible. I prefer Clarkconnect

which has many modules and addons and MUCH better community support.

Peekj

From: Anonymous at: 2006-01-23 04:37:14

The free home version of Clarkconnect may not be that flexible for more demanding tasks? If you want more, don't those Clarkconnect modules and addons often cost money?

From: Anonymous at: 2006-01-21 16:46:15

Hello Anonimus,

Clarkconnect has 1/2 of the features and many fewer addons than exist for IPCop. The IPCop community has been incredible and I am very happy with the project in every aspect. As well Klarkconnect is not as open and transparent a development community more focused on creating a commercial software NOT a usable free software GPL'd firewall. For this and many other reasons it is a superior Linux firewall.

IPCop Addons

List of IPCop Addons

From: evolutionaryit at: 2006-01-27 16:39:14

Hello Peekj, I have used both as well as the vast majority of commercial firewalls and have ended up sticking with IPCop. For me it does more of what I want and has an amazing support community.

From: Anonymous at: 2009-08-10 05:09:02

What about other commercial products? have you tried affordable solutions like ideco
i think its functionaly is amazing i think for many companies its more reasonable to employ ready to work solutions rather that figuring out how to use a number of free programs right


From: Anonymous at: 2006-01-21 23:35:54

Good job man! I use IPCop on my own networks and on dozens of clients and I am very happy with it. Keep up the good work IPCop team.

From: Anonymous at: 2006-01-25 15:51:55

mybe is better to talk about ipcop addons..... many many

From: evolutionaryit at: 2006-01-27 16:25:10

I just might cover them in the future. =) As I state in the article I will cover my favorite add-on copfilter.

From: Anonymous at: 2006-02-03 04:38:22

One great addon is the Zerina OpenVPN addon, which is an alternative method of constructing a VPN that is simpler to use than IPSec yet cross-platform. It's based on OpenSSL for secure transport. OpenVPN is regarded as secure, compared to some of the amateur efforts at VPNs in the past like CIPE.

It would be good to cover this and increase the popularity of IPCop and Zerina

From: at: 2006-12-05 01:16:52

Good ariticle. In-depth review..

The main difference among other linux firewall is that is its interface is more simple.

Besides, Ipcop firewall has been added to our useful resources.(category firewall).

Best regards,

Sophia Parker

The All-Internet-Security.com Directory

From: evolutionaryit at: 2006-02-06 06:30:18

Hello,

I do concur. =) Zerina OpenVPN is another amazing IPCop add-on which I hope becomes part of the code base in future releases. Copfilter is another of my favorites which has my vote for inclusion in future releases of IPCop.

Thanks for your comments,
Joe

From: Anonymous at: 2006-01-27 14:00:28

If you don't want to dedicated a machine as a firewall, Shorewall is great. Excellent documentation. I have been using it for 4 years on my home network.

From: Anonymous at: 2006-01-27 21:41:35

and am happy to see it getting some coverage and exposure because it is a great GNU/Linux firewall. Everyone should check it out http://www.ipcop.org

From: Anonymous at: 2006-01-31 20:23:25

Great work on the article.

From: Anonymous at: 2006-02-02 20:30:27

As a user of Ipcop for many years now I have to concur that it is a great gnu firewall.

From: Anonymous at: 2006-02-09 17:10:19

seeing the second part of the article. Ipcop + copfilter = network bliss.

From: Anonymous at: 2006-03-16 12:32:21

As far as I remember, IPCop allows any traffic going out from the LAN to the Internet (great for trojans). I wish you could do an article regarding a fix for that.

From: evolutionaryit at: 2006-05-08 14:08:32

Hello,

? Most firewalls allow connections from the trusted LAN (Green) out to the internet.? This can be configured or blocked within IPCop (on CLI w/ IPTABLES)? and there are addons to help as well.? Check out BOT http://blockouttraffic.de/? As I always say one cannot look at a firewall as a panacea but as part of a set of security tool, techniques and processes.?

Thanks,

J

From: at: 2006-11-17 20:51:09

This has been a great help to me in the last few days.

Very well written article! 

From: access repair at: 2011-01-05 07:12:15

Although not an official part of IPCop, there are many addons, some based on the addon server, that add additional functionality to IPCop, such as advanced QoS, e-mail virus checking, traffic summary, extended interfaces for controlling the proxy, and many more.

From: Anonymous at: 2006-03-07 21:36:11

Hey Joe,

Good work on this second article! Keep it up man.

From: Anonymous at: 2006-03-08 16:59:30

From one geek to another- thanks for this article! I have been following along from the first part and I hope that you keep writing more stuff. I really like what you are advocating and will definitely stay tuned. AWESOME!

From: evolutionaryit at: 2006-03-08 22:32:06

From: evolutionaryit at: 2006-03-08 22:31:22

From: Anonymous at: 2006-03-13 14:38:40

I put in an IPCop firewall (running on some really old hardware), at a customers place to handle their public wifi offering. Because that public connection shares the same T1 as their business, I setup QoS and traffic shaping for that public portion. It works like a champ. I have rebooted the IPCop box once in about 8 months.

From: Anonymous at: 2006-03-08 16:47:03

and they are a very effective duo. Thanks.

From: evolutionaryit at: 2006-03-08 22:30:52

you are using the great IPCop!

From: evolutionaryit at: 2006-03-08 22:30:22

you DO have to open those ports to your ORANGE network. This is no more of a security threat as you are on a seperate segment from your GREEN Lan and you have secured your DMZ network services. =)

From: Anonymous at: 2006-03-09 03:19:06

Um, no because Copfilter handles that for you. You should not have to portforward. I know by default IPCOP Blocks access from ORANGE (or DMZ) clients from using services running on IPCOP. So If you want servers or client on ORANGE or the DMZ to access Copfilter Services like ProxSMTP, P3scan, HAVP and Frox, you need to use another MOD called BOT (Block Out Traffic) where you can control rc.firewall.local etc. There you can create advanced firewall rules to allow ORANGE clients to access services running locally on your IPCOP firewall.

Port forwarding is not the answer, and WILL create holes in the firewall. If you use Copfilter for incomming SMTP scanning for a mail server on your DMZ, Copfilter will handle the routing for you, there is no need to create a port forwarding rule and in some cases this has caused problems with some people (Emails bypassing Copfilter SMTP Scanner).


Please update your tutorial. And thank you for providing one for the Copfilter community.

Best regards,

Dayne

MCSA, MCSE, CCNA, SCJP

From: evolutionaryit at: 2006-03-09 22:45:12

?

Hello Dayne,

? Please in the future do not spam the comment list.? In the future feel free? to? email me. I do not bite. =) You are correct in part in saying the Copfilter will scan SMTP/POP3 but the devil is in the details (as it always is).? You are correct that is needs more clarification and I will do so. The configuration matters most as to where and how the scanning happens.? For example some might want to not use PROXSMTP (performance issues) and instead scan on the email server itself so they would have to add a portforwarding rule. The HTTP rule DOES need to be added as well as any other ports one might want such as FTP, etc.. You should join me next time in co-authoring an article. =)

P.S. Pleased to see you are certifiably certified as am I. =)

Thanks much for reading and reflecting on the article!

Joe

From: Anonymous at: 2006-03-09 23:42:40

Thanks for sharing your expertise on this kick-ass firewall! I am all ears for your suggestions Joe!

From: evolutionaryit at: 2006-03-10 16:40:05

Kick ass INDEED!

From: Anonymous at: 2006-03-10 01:05:10

I found your article to be an extremely clear and useful guide. Thank you for your comprehensive and insightful article.

From: evolutionaryit at: 2006-03-10 16:38:38

That it was helpful!? Stay involved and informed with the FOSS community and JOIN US!

From: Anonymous at: 2006-08-28 19:10:16

Thanks Joseph for this contribution. Your article would help a lot of sysadmins to quickly understand and deploy this firewall.

Adoption of opensource solutions at work place is the biggest need for opensource. There are open source solutions for almost everything. However, businesses invest lot of money in closed source solutions, simply because of the easy to take off nature of those solutions. There are  many consultants who can get the basic implementation up and running in matter of days, mapping business requirements to the commercial products. In that sense, your document is a great enabler for IPCop/ CopFilter.

 Anm

From: LinuxLover at: 2009-11-10 14:12:29

very nice article dude. much appreciated ;)