Network security is one of those Very Important Things that grumpy old admins like me think should not be too easy, because we feel there is no substitute for years of poverty-stricken study at the feet of a merciless guru. Fortunately for admins who live in the real world, there are alternatives to beatings and crusts when they need to learn how to secure their computer networks. Such as IPCop, an excellent specialized Linux distribution designed to protect home and small business networks.
IPCop 1.4 does a number of useful tasks:
- Web-based administration
- Iptables firewall
- VPN (virtual private network)
- Web proxy
- NTP server
- CRON server
- DNS caching server
- Supports dialup, DSL, ISDN, and Ethernet
- Intrusion detection
- System, traffic, and network status monitors
- DHCP client for Internet access
- DHCP server for LAN clients
- Content filtering
- Traffic shaping
… and more.
IPCop must run standalone on its own dedicated machine: It cannot be added to an existing Linux installation. An old PC is good, or you can move uptown and put it on a sleek new mini-ITX or Soekris box. The advantage of these is low power requirements and smaller footprint. You want RAM more than processing power. A 486 with 64 megabytes of memory will serve up to 10 clients satisfactorily, but any Pentium with more memory is better. IPCop takes up about 230 megabytes of storage, plus you must allow space for logfiles, so an old 1 gigabyte hard drive will suffice for smaller networks. You can monitor your own usage via the System Status page in IPCop’s Web-based interface, so it is easy to fine-tune your own system requirements.
You’ll need at least two network adapters – one to connect to the Internet, and one to serve your LAN. These can be two Ethernet cards for DSL or cable, or a modem and an Ethernet card, or an ISDN adapter (define) and an Ethernet card. (See the hardware compatibility list.)
You’ll also need a hub or switch. Switches are so cheap these days you really don’t need to bother with a hub, and you’ll get better network performance. A basic setup looks like this:
Internet -> IPCop -> hub/switch -> LAN
Simple enough. Fear not the penguin.
Installation And Colored Interfaces
IPCop color-codes the different network interfaces. Red is the external interface to the Internet or other untrusted network. Green is the local LAN, and it is presumed to be trusted. Blue is for wireless devices. Orange is for DMZ (define) s
hosts, such as public Web servers. At the least you will have Red and Green zones.
IPCop can be downloaded and burned to a bootable CD, booted from a floppy disk, or installed directly over the network. (See the installation manual.) It will overwrite and partition the entire hard drive- do not try to share with anything else.
Because it is based on a 2.4.2x kernel, it should recognize your network adapters and automatically install the drivers. (Unless you are using some weirdo hardware.) Unfortunately, there is no easy way to choose which NIC belongs to which zone, which is a problem if you have a setup like mine. I have an old 3Com 10-baseT ISA adapter, and a newer D-Link 10/100 PCI adapter. Naturally I want the 3Com card on the Red interface, since Internet speeds are much slower than LAN speeds. But the IPCop installer configures the Green adapter first, and does not let you choose. This is fixed by editing /var/ipcop/ethernet (vi /var/ipcop/ethernet) after installation to switch them around.
Cable and DSL modems should be connected to your IPCop box via an Ethernet card. An analog modem, USB broadband device, or ISDN modem should be connected directly to the IPCop box.
The Green zone, which is your private, internal LAN, can use the usual private non-routable addresses (192.168.1.x) and the usual netmask of 255.255.255.0, though of course you may customize this however you need.
Next, the installer will walk you through the rest of the installation. It’s straightforward, there are only a few gotchas you need to look out for. Be sure to set your local time zone- then you’ll always have the correct time. Selecting London or UTC means you’ll have to correct the time manually.
When you are asked to select a domain name, this can be anything you want. It probably shouldn’t be the same as your real domain name. If you have more than one IPCop server, you might use domain names like ipcop1.net and ipcop2.net.
Configuring the Red interface means you’ll need your account information for your ISP (define). Because IPCop contains a DHCP client, you’ll be able to share any ordinary account- you won’t need an account that gives you a static IP. If you have a static IP, be sure to enter your ISP’s DNS servers on the “DNS and Gateway” settings tab.
Now you may set up IPCop’s DHCP server to serve your internal LAN. Enter 192.168.1.1 as the “Primary DNS”, and enter your lease range on the “Start Address” and “End Address” lines, and remember to check “Enabled.”
When you are asked for a root and admin password, select them carefully. Strong passwords work! Also you must pay attention to the physical security of your IPCop box, because anyone with physical access to the box can easily re-set the root password.
IPcop will now reboot. When it is back up, you don’t need to log in. Go to any PC on the same subnet and try to connect to the Web interface:
Most administration tasks are done via the Web interface. Use the admin login for the Web interface, and the root password for logging in directly to the IPCop box.
If you lose the root password, re-setting it is very easy. Reboot IPCop via the Web interface (System -> Shutdown), then when you see the GRUB menu on the IPCop box hit the letter “a”. Append the option “single” to the end of the kernel line, without quotes, then hit enter and IPCop will boot into single-user mode. Run passwd root to change the password, then restart IPCop.
You may change a lost admin password by editing the /var/ipcop/auth/users file, using vi /var/ipcop/auth/users. Delete everything to the right of the colon, log into the Web interface using “admin” and no password, and create a new password with System -> Passwords.
The first thing you should do is install all available updates. Install all of them, in order, using the System -> Updates tab of the Web interface.
You now have a fully functioning firewall/Internet gateway. Come back next week to learn how to set up a VPN, intrusion detection, allow access to public servers, wireless access, and more. Be sure to consult the excellent installation and administration manuals at IPcop.org.