IPCop Polices the LAN

Network security is one of those Very Important Things that grumpy old admins like me think should not be too easy, because we feel there is no substitute for years of poverty-stricken study at the feet of a merciless guru. Fortunately for admins who live in the real world, there are alternatives to beatings and crusts when they need to learn how to secure their computer networks. Such as IPCop, an excellent specialized Linux distribution designed to protect home and small business networks.

IPCop 1.4 does a number of useful tasks:

• Web-based administration
• Iptables firewall
• VPN (virtual private network)
• Web proxy
• NTP server
• CRON server
• DNS caching server
• Supports dialup, DSL, ISDN, and Ethernet
• Intrusion detection
• System, traffic, and network status monitors
• DHCP client for Internet access
• DHCP server for LAN clients
• Content filtering
• Traffic shaping

... and more.

System Requirements
IPCop must run standalone on its own dedicated machine: It cannot be added to an existing Linux installation. An old PC is good, or you can move uptown and put it on a sleek new mini-ITX or Soekris box. The advantage of these is low power requirements and smaller footprint. You want RAM more than processing power. A 486 with 64 megabytes of memory will serve up to 10 clients satisfactorily, but any Pentium with more memory is better. IPCop takes up about 230 megabytes of storage, plus you must allow space for logfiles, so an old 1 gigabyte hard drive will suffice for smaller networks. You can monitor your own usage via the System Status page in IPCop's Web-based interface, so it is easy to fine-tune your own system requirements.

You'll need at least two network adapters - one to connect to the Internet, and one to serve your LAN. These can be two Ethernet cards for DSL or cable, or a modem and an Ethernet card, or an ISDN adapter (define) and an Ethernet card. (See the hardware compatibility list.)

You'll also need a hub or switch. Switches are so cheap these days you really don't need to bother with a hub, and you'll get better network performance. A basic setup looks like this:

Internet -> IPCop -> hub/switch -> LAN

Simple enough. Fear not the penguin.

Installation And Colored Interfaces
IPCop color-codes the different network interfaces. Red is the external interface to the Internet or other untrusted network. Green is the local LAN, and it is presumed to be trusted. Blue is for wireless devices. Orange is for DMZ (define) s hosts, such as public Web servers. At the least you will have Red and Green zones.

IPCop can be downloaded and burned to a bootable CD, booted from a floppy disk, or installed directly over the network. (See the installation manual.) It will overwrite and partition the entire hard drive- do not try to share with anything else.

With this article, you'll have a fully functioning firewall/Internet gateway. Come back next week to learn how to set up a VPN, intrusion detection, allow access to public servers, wireless access, and more.

Because it is based on a 2.4.2x kernel, it should recognize your network adapters and automatically install the drivers. (Unless you are using some weirdo hardware.) Unfortunately, there is no easy way to choose which NIC belongs to which zone, which is a problem if you have a setup like mine. I have an old 3Com 10-baseT ISA adapter, and a newer D-Link 10/100 PCI adapter. Naturally I want the 3Com card on the Red interface, since Internet speeds are much slower than LAN speeds. But the IPCop installer configures the Green adapter first, and does not let you choose. This is fixed by editing /var/ipcop/ethernet (vi /var/ipcop/ethernet) after installation to switch them around.

Cable and DSL modems should be connected to your IPCop box via an Ethernet card. An analog modem, USB broadband device, or ISDN modem should be connected directly to the IPCop box.

Continued on page 2: Configuration