SolutionBase: Learn how to set up an IPCop firewall

Here's how to install IPCop, a Linux-based firewall that turns an x86 system into a firewall appliance.

Firewalls are everywhere. They are standard issue, par-for-the-course, ticket-to-ride technology that every network, system, and device that is connected to the Internet now requires. Firewalls also take on a lot of different forms, from software solutions to small devices you can pick up at an electronics store to high-end boxes from vendors such as Cisco.

All of the different firewall choices can get a little overwhelming for IT professionals, especially when you only need to set up a simple firewall to protect a small or remote office network. In that case, one of the best solutions for combining low-cost, ease-of-use, and beefy functionality is IPCop.

What is IPCop?
Essentially, IPCop is a Linux-based firewall that turns an x86 system into a firewall appliance. You could call IPCop a Linux firewall distribution, because it has a self-contained kernel and operating system. In other words, you do not have to install IPCop on top of a standard Linux distribution such as Red Hat. You install IPCop like you would an operating system, and once it is installed it completely monopolizes the machine for use as a firewall appliance.

After installation, IPCop is controlled by a Web-based GUI and does not require any knowledge of Linux. It leverages the strengths of open source—it's free and continually updated and patched—and it takes advantage of the power of Linux firewall and security software such as IPTables, Snort IDS, and FreeS/WAN VPN and simplifies their usage and configuration into its Web-based interface.

The following are some of the features that IPCop includes:
  • Network Address Translation (NAT)
  • DHCP server
  • VPN server
  • Transparent Web proxy
  • Secure Shell (SSH) access
  • Port forwarding
  • DMZ setup
  • Detailed, well-organized logs
  • Intrusion Detection System (IDS)
  • Traffic statistics and graphics

For more details on the features and development of IPCop, take a look at my TechRepublic article on the subject.

Other firewall distributions
IPCop is not the only Linux firewall distribution. Most notably, IPCop is a derivative of the free version of SmoothWall, which is now a subset of a commercial firewall product called CorporateServer 3.0. Other firewall distributions include Devil-Linux and the Coyote Linux Floppy Firewall.

What does it require?
IPCop is software that turns an x86 machine into a hardware appliance—a firewall/gateway/router in this case. You can run an IPCop firewall on minimal hardware. However, for a business deployment I would recommend the following minimum requirements:
  • 300-MHz CPU
  • 256 MB of RAM
  • 5-GB hard disk
  • Two 3Com NICs

These minimum requirements assume that we're dealing with a small or remote office with a DSL Internet connection (or equivalent) and up to about 30 client machines. You can get by with less than the hardware I've recommended, but this is a solid starting point. If you are supporting more than 50 client machines, you should probably go with at least a 500-MHz CPU, 512 MB of RAM, and a 10-GB hard disk (the extra disk space is needed for IPCop's Web proxy).

As you can see above, I also recommend using 3Com NIC cards. That's for two reasons. First, they tend to fail less than other NICs (Intel cards are pretty sturdy, too). Second, IPCop usually has an easy time recognizing these cards, and that makes installation a lot easier. You can use up to three NICs with IPCop—one for the internal network, one for the Internet, and one for a DMZ.

Pre-installation preparations
In this tutorial, I'm going to be walking through the most common configuration for IPCop, which is to set it up as a firewall/gateway running two interfaces and no DMZ. During the IPCop installation, this setup is called a GREEN + RED configuration, in which the green interface is the NIC connected to the local network (usually a hub or a switch) and the red interface is the NIC connected to the Internet (such as a DSL/Cable/T1 router).

Before you start the installation, you need to make sure you have the following information ready:
  1. The static IP address that will be used for the green interface (this will eventually become the default gateway address for the client systems on your network)
  2. How you need to obtain the IP address for the Internet (RED) interface—this could be static, DHCP, PPTP, or PPPoE (if the address is obtained via DHCP, check to see if you need to provide a hostname)
  3. Whether you will be running a DHCP server from the firewall/gateway, and if so, what range of addresses will be handed out by the DHCP server

Once you have this information hammered out, you are ready to install. You will need to download the IPCop software. This comes in the form of an ISO image that can be turned into a bootable installation CD using a CD burner. For example, you can download the ISO and burn it in Windows using Easy CD Creator or similar programs (you can look in the help files of your CD-burning software for information on how to burn ISOs).

Perform the installation
Once you have your IPCop installation CD made, pop it in the CD drive of the target system and restart. The system should automatically boot into the CD (if it doesn’t, then you probably need to change the boot order in the system's BIOS so that the CD is the first device that the system tries to boot from). If you have successfully booted from the IPCop CD, you'll see the welcome screen in Figure A.

Figure A

At the welcome screen, press [Enter] to start the installation. After the installer loads, the first thing you will be prompted to do will be to select a language (Figure B).

Figure B

The next selection you will have to make involves the installation media. Choose CDROM (Figure C). You may get a message that tells you to insert the CD into the computer. It should already be there, but if not then insert it and click OK.

Figure C

The next message you get on the screen will tell you that IPCop is about to repartition the target hard drive and will tell you which drive it is going to format (e.g. /dev/hda1), as shown in Figure D. Once this operation is completed all the data on the selected disk will be wiped out, so make sure you have the correct hard disk installed in your system and that IPCop has selected it correctly.

Figure D

Once the partitioning is complete, you'll get a message asking if you would like to restore an IPCop system configuration (from a past installation), as you can see in Figure E. I assume you don't have a backup from a previous IPCop installation, but if you do, put the floppy disk in the system and select Restore. Otherwise, select Skip.

Figure E

Next, it's time to start the preliminary network configuration. You will be prompted to configure the GREEN (internal network) interface (Figure F). Click Probe.

Figure F

IPCop shouldn’t have any trouble identifying your network adapters (especially if you’re using 3Com NICs, as I recommended). You'll get a message telling you the vendor name of the NIC that IPCop identified as the GREEN interface, and then you will be prompted to enter a static IP address (Figure G).

Figure G

After you set the IP address and subnet mask of IPCop's GREEN interface, the installation will spit out the IPCop CD and you will get a message telling you that the installation was successful, but that there are a few more steps to complete (Figure H). Remove the CD and select OK.

Figure H

You'll then be prompted to select the keyboard type that you are using and select your time zone. Then you select a hostname for the IPCop machine (Figure I). The default is "ipcop" (which I would recommend changing so that you don't simply give away its identity to potential attackers).

Figure I

The ISDN Configuration Menu pops up next (Figure J). This is only needed if you have an internal ISDN card. If you do want to use ISDN, I would recommend using a separate ISDN router and then connecting its network interface to the RED interface of IPCop. On this menu, simply select Disable ISDN.

Figure J

You are now prompted with the Network Configuration Menu (Figure K). Highlight Network Configuration Type, then press [Tab] to select OK and press [Enter].

Figure K

In the Network Configuration Type Menu (Figure L), select GREEN+RED to set up a standard firewall in which one network adapter goes to the internal network (GREEN) and the other adapter connects to the Internet (RED).

Figure L

After you select GREEN+RED, you'll go back to the Network Configuration Menu in Figure K. This time you should select Drivers And Card Assignments, then tab over to OK and press [Enter]. You'll receive a screen that shows the current card assignments and asks if you want to make changes (Figure M). Click OK and IPCop will probe for your NICs and attempt to allocate the second NIC to the RED interface.

Figure M

Once that's complete, you'll return to the Network Configuration Menu (Figure K) again. This time you should select Address Settings, and then you'll be prompted to select the appropriate interface (Figure N). You should select RED.

Figure N

This will lead you to the RED interface configuration screen. It looks similar to the GREEN interface configuration screen back in Figure F, except that you have four selections at the top: Static, DHCP, PPPOE, and PPTP. In most cases, this basically comes down to a choice between Static and DHCP, and it simply depends on whether your ISP has assigned you a static IP address or if the address is assigned automatically via DHCP. If the answer is DHCP, highlight that option and press the spacebar to select it. If it is Static, you'll also need to enter the IP address and subnet mask.

When you're finished and you select OK, you'll return to the Network Configuration Menu. If you are using DHCP on the RED interface, you can select Done. However, if you have a static IP address, you need to select DNS And Gateway Settings, which will provide a screen for you to enter two DNS servers and a default gateway (Figure O).

Figure O

Select Done, and you will then be prompted with the DHCP Server Configuration (Figure P) dialog box. IPCop can act as a DHCP server for the internal network (via the GREEN interface). If you would like to use IPCop as a DHCP server, simply press the spacebar to select Enabled, then enter the range of addresses you would like to allocate and fill in other DHCP settings.

Figure P

After you're done with the DHCP server configuration, you will be prompted to enter passwords (Figure Q) for three users: root, setup, and admin. The root account is for console access, the setup account is for getting back into the installation menus, and the admin account is for logging into the Web administration interface.

Figure Q

Once you have entered the passwords, you will receive a message that says Setup is complete (Figure R). Click OK to reboot the IPCop server.

Figure R

Confirm that it works
After the IPCop firewall restarts and is ready to go, you'll hear a unique series of three beeps that tells you IPCop is now live. The first test you should run is to open up a command prompt from a machine on the same internal network as the GREEN interface of IPCop and try to ping the IP address of IPCop's GREEN interface.

If that works, then you can open up a Web browser and connect to IPCop's Web administration module. You can connect via HTTP or HTTPS and you can use either the IP address or the hostname of the GREEN interface, but you have to append specific port numbers (81 for HTTP and 445 for HTTPS). For example, these four URLs demonstrate the format:
  • http://ipcop:81
  • https://ipcop:445

Obviously, you should replace ipcop and with the hostname or IP address that you assigned for your firewall. When you successfully connect to the Web interface, you see the screen in Figure S. When you click the menu items on the left navigation bar (e.g. Information, Logs, System) you'll be prompted for a username and password. You should use the "admin" username along with the password you assigned to it.

Figure S

End sum
I've walked through the process of getting an IPCop firewall up and running. In my next article, I'll show you how to work with the Web interface, turn on the Web proxy, set up SSH, and do other post-installation administrative tasks.