Wednesday, July 09, 2008

IPCop Gateway

ipcop A while ago I was struggling to get my old Dell GX110 CPU with 2 NIC cards to act as a firewall and DHCP server.  I thought by using a full-fledged Linux distro I would be able to later on add such things as Squid, or DansGuardian proxy server and content management controls.

Content filtering and logging is something that software seem to do one one level or another.  Microsoft Vista and the Trend Micro Internet security suite includes parental controls and content filtering options for Windows, plus DansGuardian can be installed on the kid's Edubuntu computer and even my laptop. That's not the issue. The issue is that the first one savvy enough to realize they can bypass it simply by running a LiveCD or  a distro on a USB stick instead of the protected operating system wins!  That is, of course, after thorough attempts at breaking into the controls on the system itself.

By placing these controls on a gateway for the entire household, not only do I protect my file server from being accessed by unwanted hackers, but I protect the entire household regardless of if the user is using the installed operating system or a LiveCD or even if somebody access the wireless network (which I hope to have in the near future). Combine this with making the modem and router physically inaccessible and then I can provide protected access through either the switch or wireless.

The people in the forums were very patient with me and tried to understand my questions as I muddled away trying to set up the gateway using the available documentation and miniscule networking knowledge. I got to the point where I almost had it, I think. That is until a friend at the computer club meeting told me about IPCop.

Actually he mentioned Smoothwall and IPCop, but admitted that he finds himself going back to IPCop. I took a look at it that night and saw the ISO download is rather small plus it facilitates DansGuardian and Squid as well as a scan utility.  That night I downloaded version 1.4.18  and copied it onto my USB drive.

Thankfully this friend also gave me some advice on setting up the system, and told me about IPCop's "zones"

IPCop has a number of zones [1];

  • Green for internal (safe)
  • Red for external, or the internet (unsafe)
  • Blue for wireless (lock down so cannot access Green zone except through VPN or controlled "pinholes")
  • Orange for publicly accessible servers (cannot access Green or Blue networks except vial controlled "pinholes") such as mail or web servers

I don't have wireless yet, so I opted for Green + Red zones with one NIC being assigned to each. When I do get wireless then I can either add it to the Green zone and try to lock it down as much as possible, or add it to the Blue zone and lock the wireless access point to bare minimums.

The other piece of information he provided that was a big help is setting the IP address and range.  I foolishly was trying to set up all of the IPs in the same sub-domain as the DSL modem (192.168.1.x). He gave me a suggested internal IP sub-domain of 10.0.7.x  and leaving the external IP with 192.168.1.x.

IPCop also runs a DHCP server, so I can manage to have

With this knowledge in hand I gave installing IPCop a go, and installed it on over my previous attempt.

The installation was very easy, took less than 30 minutes and that's with the installer scanning the NICs to determine it the internal is eth0 or eth1. It helped that I already knew the static IP addresses for the router/gateway, the modem and the server.

Once it is installed and the passwords are set you don't need the keyboard or monitor hooked up to the gateway because it includes a web interface for configuring things.  You just have to remember the passwords you entered for each of the different roles (3 I think).

I feel so much better knowing I've got the gateway and firewall up to protect my network. Now my next excursion is going to be installing DansGuardian content filtering and parental controls. This looks to need to install  the (Unofficial) IPCop Firewqall Addon Server, which seems to include an easy manner to navigate the available addons which I see  DansGuardian being listed as Cop+. Considering the added interest in the Internet by my son, I best get this installed and working quickly.


Drew said...

One quick update: I installed CopPlus with the website's directions (which were pretty easy, but helps if you know how to turn on and use SSH) and it works great.

I haven't gone crazy (requiring people to log in so each person is tracked) but I'm going to read up and see whether I want to go to that level yet or not.

Mavis said...

Great work.