...making Linux just a little more fun!

<-- prev | next -->

A Brief Introduction to IP Cop

By Edgar Howell

Quite some time ago, a friend mentioned IP Cop to me. At the time, it sounded interesting, but other things kept getting in the way. Now that I have had a chance to play with it a bit, it has become extremely interesting and will likely be a permanent player in my computing environment.

What is IP Cop?

Whoops!
IP Cop?
What is that?
Well, it's a gateway, and a router, and a firewall, and does DHCP...
Actually, in essence, just about everything the small LAN needs to connect safely to the untamed Internet.

Yep, set up IP Cop and you can forget /etc/hosts.
Who cares about IP-addresses, anyhow?
Firewall? Why?
IP Cop is your interface to the outside world and has almost no services running - thus, little or almost nothing to attack.

Seriously, it is no substitute for caution and can't protect you from damage from within, trojans, viruses and the like. So let's look more closely at IP Cop and its installation and configuration and what it can do.

Essentially, as the name implies, IP Cop directs traffic at an intersection without traffic lights - in this case, IP traffic. It is a special-purpose Linux distribution that functions as an interface between you, your internal network(s), and the outside world - the Internet. To the Internet, it has a very small profile, offering almost no services. It also discriminates between your LAN (IP Cop terminology: green), a possible WLAN (blue), and a DMZ (orange).
Oh, yeah, the Internet itself is - surprise! - red.

But it goes far beyond this.
Once you have IP Cop in your network, you can forget assigning IP-addresses. Just tell it the address range to use and it will take over that task dynamically. Well, if the PCs you attach to your network are well-behaved enough to participate in DHCP (dynamic host configuration protocol). Or you can easily do it by hand.

Installation

The IP Cop Installation Manual says that it can be done in about 15 minutes after you gather the required information.
This is correct... but by now, I can probably get a SuSE distribution installed in not a whole lot more than that - blind-folded.
Unfortunately, never having done IP Cop before, it took me a little longer.

So please bear with me if in the following I go into a bit more detail than you might want. I certainly would have appreciated it and the guy next to you might.

IP Cop was designed to make use of modest resources to provide security. According to the installation manual it has been tested with a 386, 32 MB of RAM and 300 MB hard drive. In operation it requires neither keyboard nor monitor. And installation - as opposed to configuration - is equally minimalistic. Both keyboard and monitor are required but in text mode, probably only familiar to old DOS users.

Another consideration in your planning to install IP Cop is the fact that it takes over the entire hard drive. You will be warned and can cancel. IP Cop wants to be sole occupant and owner of the drive it lives on. But this is neat: a 4 GB drive is far more than it really requires and half that likely would be enough for a small LAN.

So here is what I went through during installation:

	Current config: GREEN
Done
	DHCP server configuration
<space>		(to enable)
	Start address:
192.168.1.1
	End address:
192.168.1.30
<OK>
	root password
root
	admin password
admin
	setup is complete
<OK>

This was enough to put IP Cop on the hard drive but it still requires a bit more information using text mode. So we log on as root and enter: setup. (In the following '[' and ']' indicate options on the screen that I ignored.)

[Keyboard mapping]
[Timezone]
[Hostname]
[Domain name]
ISDN configuration
	Protocol/Country
		Euro (EDSS1)
	[Set additional module parameters]
	ISDN card
		*AUTODETECT*
			AVM PCI/PNP (EXPERIMENTAL)
	Local phone number
		02206608913
	Enable ISDN
Networking
	Network configuration Type
		GREEN (RED is modem/IDSN)
	[Drivers and card assignments]
	[Address settings]
	[DNS and Gateway settings]

At this point IP Cop was functional on the PC and could be pinged from other PCs on the network.

Configuration

Besides offering almost no services outside, IP Cop strictly limits what root and admin can do. As root, one can log on to the PC on which IP Cop is running, but can only adjust a few things originally set up during the installation, as in ISDN vs modem and the like.

Administration takes place over the - now secure - network from another machine. So let's attach a notebook with SuSE 10 - as yet unused - and see what has to be done.

Since we haven't done anything about networking on this machine just yet, let's manually contact the DHCP server on IP Cop to get an IP-address and then check things out:

web@LohgoDell:~> su
Password:
LohgoDell:/home/web # dhcpcd -B
LohgoDell:/home/web # ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:14:22:DF:EB:80
          inet addr:192.168.1.30  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::214:22ff:fedf:eb80/64 Scope:Link
          UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:346 (346.0 b)  TX bytes:1814 (1.7 Kb)
          Interrupt:9
LohgoDell:/home/web # netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
loopback        *               255.0.0.0       U         0 0          0 lo
default         ipcop.lohgo     0.0.0.0         UG        0 0          0 eth0
LohgoDell:/home/web #

That looks really good, IP Cop even set itself up as the default gateway! Now we can tell Mozilla to access IP Cop at https://ipcop:445 so we can configure things:

Since we are sitting right next to the IP Cop machine, we know that the identity is correct and it's safe to permanently accept the certificate.

OK, no problem.

No problem there either.

The above is IP Cop's "home administrative window". Merely placing the cursor over any of the boxes in the second of the two lines beginning with "SYSTEM" produces a pop-down with relevant activities. To do anything other than connect (dial) and disconnect (hang up) you will have to enter the name and password of the administrator. My first order of business was System|Backup to save onto diskette what has been done so far.

Here's a little bit of what IP Cop put on the diskette.

At this point I went to Services|Proxy and checked "Enabled on green" and "Transparent on green". Remember that "green" is IP Cop terminology for our LAN, which it is to protect from the rest of the world. Then on to Services|Time Server where I replaced "pool.ntp.org" with something more reasonable:

Then under Network|Dialup it was necessary to establish a dialing profile and specify ISDN as the interface. Under Reconnection I checked "manual" and "Dial on Demand for DNS", and under Authentication I entered the user name and the password for the provider.

At this point establishing a connection to the Internet was very easy: on the home administrative window click on "connect":

And now from another window on the notebook it was possible to "ping -c 3 www.google.com"! All without touching /etc/hosts or doing anything to set up a network other than executing dhcpcd.

Random Remarks

Some of IP Cop's windows are too large to fit on the screen and require scrolling. This makes it easy to miss the "Save" and "Refresh" buttons at the bottom. Be sure to click on them when they are present or your changes will be quietly forgotten.

While you may want to select a different range of IP addresses for IP Cop to manage, it is otherwise a bad idea to change settings that deal with communication over the LAN. It is also a very bad idea to do that after initial configuration, since all administration takes place over a web interface on the network. If communication gets messed up, it may be impossible to repair. It isn't possible to do administration on the machine running IP Cop.

There is far more to IP Cop than what we have looked at here. It includes intrusion detection, numerous logs, traffic shaping and more.

At the moment I still have little experience with IP Cop but will be using it in the future. For the small office/home office (SOHO) it provides many benefits. My problem, as usual, was the documentation.

Not that it was lacking or meager. Essentially everything one needs to know was there. But it wasn't where I needed it!

I was reminded of a trip to a local bureaucracy a number of years ago. I looked at the signs, got in what I thought was the appropriate line, and when my turn came was told that I should be somewhere else. Yeah, the sign could mean that as well... but only to those used to that particular situation.

Bottom line: this software is really impressive, and the documentation includes the information you will need to install and configure and operate it. But - once again - navigating the documentation can be difficult.

Nonetheless, in the long run, for anyone with more than a two-machine installation, IP Cop should be well worth the effort.

Talkback: Discuss this article with The Answer Gang


[BIO] Edgar is a consultant in the Cologne/Bonn area in Germany. His day job involves helping a customer with payroll, maintaining ancient IBM Assembler programs, some occasional COBOL, and otherwise using QMF, PL/1 and DB/2 under MVS.

(Note: mail that does not contain "linuxgazette" in the subject will be rejected.)

Copyright © 2006, Edgar Howell. Released under the Open Publication license unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 125 of Linux Gazette, April 2006

<-- prev | next -->
Tux