This document is for the purpose of building in IPCop Firewall onto a MSI Axis 700 barebones PC. The firewall will also be used as a NTP time-server, Content-filtering proxy server and OpenVPN server.

Requirements

• MSI C7 VIA CN700 5.1 Audio Lan DDRII quicklinx:4FY9WS
• D-Link DFE 580TX - network adapter - 4 ports quicklinx:1YH9WS
• LG Electronics DVD ROM 16X BLACK DRIVE ONLY quicklinx:4N6SWS
• Seagate Barracuda 7200.10 80GB S300 8MB quicklinx:4MRKWS
• Crucial 512MB 240Pin DIMM DDR2 PC2-4200 Non-ECC quicklinx: 36TCWS

N.B. I believe 512mb is insufficient and I would recommend purchasing Kingston Memory - KVR667D2NG/1G

Key Steps

• Assemble above
• Disable “EHCP on chip” under “Integrated peripherals” in BIOS (prevents NIC being loaded correctly)
• Disable “ACPI” under Power Management (from memory)
• Download IPCop at IPCop.org and burn to CD
• Boot CD
• Follow prompts to install (you may find this Howtoforge useful)
• Connect to web admin page
• Install Copfilter (for Virus protection and more)
• Install Advanced Proxy (for user authentication and control)
• Install URL Filter (for content filtering)
• Install Zerina OpenVPN
• Configure Zerina OpenVPN

Install Copfilter

Download Copfilter.

# scp -P 222 copfilter-version.tgz root@ipcop_green_address:/root
# ssh -p 222 -l root ipcop_green_address
# cd /root
# tar xzvf copfilter-version.tgz
# cd copfilter-version
# ./install

This should complete with a message such as this:

Copfilter ~version~ installation completed successfully!

Install Advanced Proxy

Download Advanced Proxy.

# scp -P 222 ipcop-advproxy-version.tar.gz root@ipcop_green_address:/root
# ssh -p 222 -l root ipcop_green_address
# tar -xzf ipcop-advproxy-version.tar.gz
# ipcop-advproxy/install

Install Enhanced Proxy Log Viewer

Download Advanced Proxy Log Viewer.

This package enables the capability to show usernames within the proxy log viewer.

Copy the file proxylog.dat to the directory /home/httpd/cgi-bin/logs.cgi and set the file permissions to 755 (rwxr-xr-x).

Install URL Filter Add-on

Download URL Filter.

# scp -P 222 ipcop-urlfilter-version.tar.gz root@ipcop_green_address:/root
# ssh -p 222 -l root ipcop_green_address
# tar -xzf ipcop-urlfilter-version.tar.gz
# ipcop-urlfilter/install

Install Zerina OpenVPN

Zerina OpenVPN.

If you are updating, first stop the OpenVPN Server through the GUI.

These instruction include a dangerous bodge to arbitrarily alter the IPCop version requirement, only proceed if you are happy to accept the inherent risk in so doing.

# scp -P 222 ZERINA-version-Installer.tar.gz root@ipcop_green_address:/root
# ssh -p 222 -l root ipcop_green_address
# mkdir /root/zerina
# mv ZERINA-version-Installer.tar.gz /root/zerina/
# cd /root/zerina
# tar -xzvf ZERINA-version-Installer.tar.gz
# sed -i s/1\.4\.18/1.4.21/ install
# ./install

Configure Zerina OpenVPN

• Zerina OpenVPN

Configure OpenVPN for Network-Manager

Download and extract the ZIP file from IPCOP OpenVPN, and extract the contents into (for example ~/.openvpn).

$ sudo apt-get install network-manager-openvpn
$ cd ~/.openvpn
$ sudo su
# openssl pkcs12 -nocerts -in default.p12 -out key.pem
# openssl pkcs12 -nokeys -clcerts -in default.p12 -out cert.pem
# openssl pkcs12 -nokeys -cacerts -in default.p12 -out ca.pem
# exit

These converted files can then be used in Network Manager.

If you’re struggling to connect to OpenVPN with Network Manager, consider that you need to ensure that the settings are mirrored on both IPCop and on the client’s Network Manager, for example I struggled to connect until I realised that LZO Compression was switched on on IPCop but off in Network Manager.

Static Routes

There is no way to set this in the GUI, so connect via SSH (see above):

In /etc/rc.d/rc.netaddress.up add:

if [ "$1" != "NOTGREEN" ]; then
if [ "$GREEN_DEV" != "" ]; then
    ifconfig $GREEN_DEV $GREEN_ADDRESS netmask $GREEN_NETMASK broadcast $GREEN_BROADCAST up

    ####CUSTOM EDIT FOR STATIC ROUTE####
    route add -net 10.100.1.0 netmask 255.255.255.0 gw 10.2.0.1
    ####CUSTOM EDIT FOR STATIC ROUTE####

Identifying Network Interfaces in Linux

If your network card supports it, you can blink the LED on the specified network interface in Linux like this:

# ethtool -p eth# 5

This blinks the LED on the interface for five seconds-without interrupting network traffic.

• Cool Command

Flushing the DNS Cache

There may be times that you wish to flush the DNS cache. IPCop uses dnsmasq, log onto ipcop using root and run the following:

# ps -ef | grep dnsmasq
# kill -s SIGHUP <PID> (replacing <PID> with the PID shown by the previous command)

References

• IPCop.org
  • User forum
• Howtoforge
  • Continued…
• Addons
• DansGuardian
• IPTables on Wikipedia
• IPCop Review
• Snort
• Installing OpenVPN
• Resolving add-on conflicts

I was introduced to Firestarter, which is a GUI to configure a firewall and share your Internet connection, if you so wish, I’m looking forward to having a play with this.

Our ADSL connection went down yesterday morning, taking with it our websites, email and browsing. It is amazing how cut-off you feel without Internet access. We have a fully-managed service, so Clara.net sent out a replacement router, only to find that the problem was elsewhere and that they had to log the fault with BT.

Thinking that our Internet access could be out for days, I decided to try and utilise my laptop’s Vodafone 3G modem. After a little research on my Eee PC I discovered that IPCop firewall can only handle a single WAN interface, so I decided to build a temporary IPCop firewall for the purpose:

• Install IPCop Firewall