Build an IPCop router with Supermicro – Part 2

This second part is going to show you how to install IPCop and get it exactly where you want it.

image

First of all my readers should know a little about IPCop. IPCop is an opensource Linux Firewall Distribution project. Its main goals is to provide a secure and stable Firewall, which is easy to configure and maintain.
IPCop has a webinterface and it provides easy upgrade and patch management.

Depending on the used hardware and user experience, IPCop can be
installed and configured in a matter of about 15minutes or less.

main IPCop features:
* secure, stable and highly configurable Linux based firewall
* runs on Uni and Multi-processor systems
* Iptables based firewall
* Build system uses LFS (Linux from Scratch)
* Easy configuration through the Web-based GUI Administration System (SSL secured)
* CPU/Memory/Disk/Traffic Graphs, System/Proxy/Firewall Logs
* IPCop Linux Updates Area
* backup/restore configuration
* Built with ProPolice to prevent stack smashing attacks in all applications.
* Multiple language support

* HTTP Web Proxy (Squid) to speed up web access
* SSH server for Remote Access
* DHCP server – provides DHCP services to its clients
* NTP Server  – provides time services to its clients
* Caching DNS to help speed up Domain Name queries
* Intrusion detection (Snort) to detect external attacks on your network
* IPSec based VPN Support (FreeSWAN) with x509 certificates

* Traffic Shaping capabilities to prioritize network traffic
* TCP/UDP port forwarding
* Port Address Translation
which is a type of Network Address Translation (NAT)
http://de.wikipedia.org/wiki/Network_Address_Translation
* DMZ Pinhole support
* Dynamic DNS Support (dyndns.org, no-IP.com, zoneedit.com,..)

Interface support – up to 4 network adapters, partitioning your network into 4 zones
* GREEN  – internal safe network which is protected from the Internet
* BLUE   – wireless network for WLAN clients
* ORANGE – DMZ (demilitarized zone) for publicly accessible servers, partially protected from the Internet
* RED    – Internet unsafe network

ISP
* External RED interface supports Analog/ISDN/ADSL modem
* supports PPP, PPTP, PPPoE, Ethernet
* DHCP client – IPCop is able to obtain its IP address from your ISP

for more information please visit the IPCop website at http://www.ipcop.org

IPCop also supports third party add-ons like Copfilter which includes

Email Scanning:
– Virus and Spam scanning of incoming POP3 emails
– Virus and Spam scanning of incoming and outgoing SMTP emails
– Email sanitizing by removing dangerous html tags from HTML email messages
– Attachment scanning by renaming dangerous attachments (.pif .vbs ..) from email messages
– Adds a note to every email header indicating that the email was scanned
– Email discarding and/or quarantining, depending on a predefined
spam score level or if a virus was found

Internet traffic Scanning
– Virus scanning of HTTP traffic, with no “trickle” effect, but continuous, non-blocking downloads
– Virus scanning of FTP traffic, with “trickle effect”, a download delay is noticeable
(file gets downloaded and scanned in the background, while browser
only receives a few bytes until complete file has been scanned)
– Removes ads, banners, pop-ups and other obnoxious Internet junk from HTTP Traffic

Network:
– All services work transparently, no re-configuration on any client is necessary !!
– Highly configurable, scanning can be turned on or off for every attached network
– Any type of email client (Outlook,Thunderbird,Evolution,..) on any OS (Win32,Linux,MacOS,..) can be used
– (RED) IP Alias support for mail server MX entries other than the default assigned IP address

Monitoring:
– Detailed information about every installed service (CPU/mem usage, uptime etc)
– Service monitoring, if a service should fail, it will automatically be restarted (with email notification)
– Individual Service control  – start/stop every services from the monitoring webgui

Administration and Management:
– Copfilter AntiSpam whitelist management through webgui and by sending an email (with prefined commands)
(spam scanning will be skipped on the reply emails)
– Automatic outgoing email whitelisting, adds recipient (To: field) email address of outgoing email to the
whitelist, if a reply email to the original email arrives, spam scanning will be skipped
– Copfilter Daily Spam Digest recipient management through webgui
– Ability to automatically download spam and ham emails from an imap folder to train the integrated Bayesian filter
(dramatically improves spam recognition, important for false positives and false negatives)
– HTTP Whitelist management through a configuration file
– Uninstall, backup, restore and restore-to-default-configuration capability
– Virus and Spam Quarantine, option to resend, delete messages and/or add the sender email address to the whitelist
– Customizable levels of when email messages should be quarantined or discarded
– Ability to send test virus/spam/bad attachment emails directly from the webgui to test Copfilter functionality
– Links to test http and FTP viruses are included as well
– Copfilter installation and configuration can be done in less than 5 minutes.
just copy the installation file to the IPCop firewall, extract and
execute the included install script (no IPCop addon server required)
– Based on the Linux Firewall Distribution IPCop which is very easy to install
Download the ISO, burn the cd, answer a few screens and your new firewall is up and running in less than 15 minutes !
– Detailed documentation
– Ease to use and highly configurable web-based graphical user interface (webgui)
– Free, opensource and GPL licensed 🙂

Updates:
– Automatic AntiVirus signature updates
– Automatic AntiSpam ruleset updates
– Latest available Copfilter version is displayed in the webgui
(webgui retrieves this information by reading the http://www.copfilter.org website)

User Notifications emails:
– Instead of a virus infected email, the user receives a notification that a virus
infected email has been sent to him, including details like sender, subject,
email header, etc of the original message
– Optionally sends a copy of these user notifications to an administrator
– All Spam messages will be tagged in the subject: *** SPAM *** for further client processing
– Daily digest containing all sender email addresses of all received spam in 24h, optionally a user
can send an email to automatically add an email address to the whitelist

Email Reports (for the System Administrator) about:
– Virus signature updates
– Antispam ruleset updates
– Imap BAYES Training results
– Failed services and if the automatic restart has been successful

Software:
– Only uses opensource software (except for optional virus scanner f-prot)
– Enhanced spam capabilities: Bayesian filtering, spam rulesets, razor, dcc, SURBL and DNS Blocklists
– Is able to use a open source AND / OR a commercial virus scanner
For POP3,SMTP,FTP: ClamAV and/or F-Prot   /   For HTTP: ClamAV only
– All proxies run as a non-root user
– Init scripts included which can start/stop/reconfigure the proxies (some can be started in debug mode)
– Log directory with log files from all services (accessible through webgui)
– Supports multi languages based on the IPCop language setting
languages available depend on translations which have been already done.

Enough about IPCop lets get it installed on our network. I will be installing IPCop in a network that is configured in a way just like the graphical example below, which has 3 networks in use: RED, GREEN, and ORANGE. For all intensive purposes I will leave ORANGE out of this post.

image

Install Process

  • Select your language.
  • Select your Installation Medium, a CD in this case.
  • Configure your network cards The fastest way to configure your network interface cards is by selecting Probe option. If you know the network card information you can choose to your exact interface from Select.


Next, when you are asked enter your Green Interface an address which must be within your chosen address space (192.168.1.x in our example). Enter in place 192.168.1.1 in the IP address field.


Following this, IPCop will format and copy itself to your hard drive. See below.

After the install has completed you will be prompted to reboot and run setup as shown. See below.

Initial Setup
Having installed IPCop we now have to enter some further configuration information in setup for our setup to be complete.

  • Enter in Keyboard, Time Zone and Hostname/Domain.
  • ISDN Setup As you are not using ISDN you should select to disable it
  • Network Configuration Type – Select the Interface configuration you will be running by tabbing to Network Configuration Type and hit the Enter key.


In our case you would select Red / Orange / Green.

Since we have 3 interfaces and only have set up Green, repeat the interface setup options for the Red and Orange interfaces as described above.
Configure the RED interface to use DHCP as this is interface connected to the Internet (i.e. Your ISP). Then configure your ORANGE interface to use the 192.168.10.x address space. For Red tab over to the DHCP box and select it by hitting Enter. So if your Green network will contain 15 hosts you can use 192.168.1.2-16. To set this up simply add in this range 192.168.1.2-16 and tab down to OK.

image

Don’t forget to set your RED network to DHCP if your ISP assigns your IP address for you.

Password Setup – IPCop has 2 users which you will be asked to setup passwords for the root and admin. Set these both to a strong password > 8 character password that is not a word in any language and contains Caps. A good example would be 1luv19c0p. Root password will be used to log on and add any add-ons or upgrades via SSH. Admin user is used to manage your IPCop day to day.
At the end of the IPCop installation you will be asked to reboot. After reboot go to another machine on your LAN and force your network interface card to update your dynamic (DHCP) address with ifconfig (Linux/Unix) or ipconfig (Windows). Verify you are live and active on the new network you have setup with an address on 192.168.1.x. With this validated connect to secure HTTPS web interface of IPCop. Type https://192.168.1.1:445 or https://192.168.1.1:81 and log in as the admin user.
Validate all your settings and connectivity. Then check out all the features you get with this great GNU Open Source Firewall. In the second installment of this how to we will discuss setting up a dynamic DNS, filtering email/web/proxing with Copfilter and allowing access to web/mail server of your choice in the DMZ or orange network. Until then go check out the www.IPCop.org website.

Now to install Copfilter. For the Copfilter readme please go to http://members.inode.at/m.madlener/copfilter/README.

image

Requirements

SW: IPCop version 1.4.x

HW: recommended minimum hardware:
a CPU with 350 MHz, 256MB RAM
if no spam filtering is used then a machine with 128MB ram should be sufficient

If a faster machine is being used, email scanning and traffic filtering will be faster as well.

Short description of the software is being used within Copfilter

P3Scan          – a transparent pop3 proxy server
ProxSMTP        – a transparent SMTP proxy server
HAVP            – a transparent http proxy server (HTTP AntiVirus Proxy) with continuous, non-blocking
downloads and smooth scanning of dynamic and password protected HTTP traffic
frox            – a transparent FTP proxy server
Privoxy         – a http proxy with advanced filtering capabilities for protecting privacy, managing cookies,
controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk
Clam AntiVirus  – a GPL virus scanner with built-in support for Zip, Gzip, Bzip2 and automatic updating
F-Prot Antivir  – for Linux Workstations (free for home users), virus scanner is not included, but supported!
F-Prot Antivir  – for x86 Mail Servers (corporate use) this virus scanner is not included, but supported!
SpamAssassin    – a mail filter to identify spam
Vipul’s Razor   – a distributed, collaborative, spam detection and filtering network, used by SpamAssassin
DCC             – a cooperative, distributed system intended to detect “bulk” mail
renattach       – a stream filter that can identify and rename potentially dangerous e-mail attachments
RulesDuJour     – a bash script which automatically downloads new versions of SpamAssassin rulesets
monit           – Monitoring Utility – automatically restarts a failed service, includes a service manager

Preparation

– enable ssh   on your IPCop machine through the IPCop admin web pages (necessary for file transfer)
IPCOP Webgui -> SYSTEM -> SSH ACCESS

– enable squid on your IPCop machine through the admin web pages (needed for privoxy to work)
IPCOP Webgui -> SERVICES -> PROXY

– you will need a secure copy (scp) client to copy the package to your ipcop firewall and a
secure shell client (ssh) to actually install the package
if working on Unix, you should have ssh and scp already installed, if not you have to install
these programs from the Linux distribution you are using, or compile them yourself

if working on windows you could use (both opensource and free):
graphical    secure copy  client:     winscp   http://winscp.sourceforge.net/eng/
graphical    secure shell client:     putty    http://www.chiark.greenend.org.uk/~sgtatham/putty

putty includes a command line secure copy client called pscp.exe

– download the latest Copfilter version from http://www.copfilter.org
do not try to extract this tar file on windows (your virus scanner will warn you about
4 testvirus files in the archive ), instead copy it to the ipcop machine by doing the following:

copy the package to the firewall
copy the package to the IPCop firewall using a secure copy client (scp)
on a Unix or Linux machine:
scp -P 222 <copfilterpackage_name> root@<your_ipcop’s_machine_ipaddress>:/root
scp.png  (notice that port 222 needs to be used)

OR on a windows machine using winscp

start winscp and create a new session in the WinSCP login screen:
winscp.png  (assuming 192.168.112.254 is your IPCop’s ip address)

then drag and drop the Copfilter installation file to the IPCop /root and
click on copy when asked to confirm
winscp2.png

OR on a windows using putty’s pscp

pscp -P 222 <package_name> root@<your_ipcop’s_machine_ipaddress>:/root

Install the package on the firewall

– login to the IPCop machine with a ssh client,
example with putty:
start putty
enter the ipaddress of your IPCop machine into the “Host Name (or IP address)” field
enter the ssh port  of your IPCop machine into the “Port” field, this is usually: “222”
enter a session name in “Saved Sessions”, for example “IPCop”
click on “Save”
click on “Open” to start the ssh session to your IPCop machine
screenshot:

– you should now have an open terminal session with putty

– if you are updating, first uninstall the old version:
everything which was Copfilter related will be deleted without confirmation,

you might want to create backup before uninstalling:
/var/log/copfilter/default/setup_util -b

to uninstall:
/var/log/copfilter/default/setup_util -u

– extract the package:
cd /root
tar xzvf Copfilter-0.1.0.tgz  (version number could be different than in this example)

– change to the directory and install the new package
cd Copfilter-0.1.0
./install

this script will automatically extract the setup tar file and will also
automatically execute /var/log/copfilter/default/setup_util -i

if it fails and you get these error messages:
Gzip: stdin: unexpected end of file
copfilter-0.1.0beta2/install
tar: Unexpected EOF in archive
tar: Unexpected EOF in archive
tar: Error is not recoverable: exiting now
then this means that you have not correctly downloaded the full file, try
to redownload the file and then try again

Copfilter is done.

Leave a Reply

Your email address will not be published. Required fields are marked *