- Posts: 5
- Thank you received: 0
trouble configuring IPCOP
19 years 3 months ago #9456
by starcycle
trouble configuring IPCOP was created by starcycle
forgive me in advance for not knowing what to provide, i am a n00b to linux and to networking. i am trying to set up IPCOP for a small home network and i am having trouble with the configuration.
i have a green + red setup, green is 192.168.1.1, red gets IP from dhcp.
the network goes: cable modem -> ipcop -> router -> computers, and right now i have the router assigning IPs to the computers.
when i boot the firewall, it hangs on "bringing network up," and i have to ctrl+c. sometimes i get some weird error after logging in that says: could not connect to www.ipcop.org:80 , and some message about a bad hostname at /usr/local/bin/updatelists.pl line 38. why is my firewall trying to connect to ipcop.org??? the hostname is set to fw1.
i'm not sure what i'm supposed to have in /var/ipcop/ethernet/settings. i have 2 of the same network card, and IPCOP wouldn't let me configure them through the gui so i had to guess at some of the values. can anyone help?
i have a green + red setup, green is 192.168.1.1, red gets IP from dhcp.
the network goes: cable modem -> ipcop -> router -> computers, and right now i have the router assigning IPs to the computers.
when i boot the firewall, it hangs on "bringing network up," and i have to ctrl+c. sometimes i get some weird error after logging in that says: could not connect to www.ipcop.org:80 , and some message about a bad hostname at /usr/local/bin/updatelists.pl line 38. why is my firewall trying to connect to ipcop.org??? the hostname is set to fw1.
i'm not sure what i'm supposed to have in /var/ipcop/ethernet/settings. i have 2 of the same network card, and IPCOP wouldn't let me configure them through the gui so i had to guess at some of the values. can anyone help?
19 years 3 months ago #9462
by DaLight
Replied by DaLight on topic Re: trouble configuring IPCOP
It appears your NICs have not been recognised by the IPCOP installation process. IPCOP has been known to have problems recognising some of the older ISA cards. I've found that 3COMs and any REALTEKs from 8139 onwards work ok for autodetection.
In your case You may need to enter the settings manually into /var/ipcop/ethernet/settings:
1. First of all you will need to determine the IO Address and IRQ settings for both your RED and GREEN NICs. You can use the diagnostic program that came the NICs.
2. Now enter these into /var/ipcop/ethernet/settings using the NE2000 driver as the driver.
Find the following lines in /var/ipcop/ethernet/settings and enter the correct settings for your cards in RED_DRIVER_OPTIONS and
GREEN_DRIVER_OPTIONS
RED_DRIVER=ne
RED_DRIVER_OPTIONS='io=0x300 irq=5'
RED_DISPLAYDRIVER=ne
GREEN_DRIVER=ne
GREEN_DRIVER_OPTIONS='io=0x340 irq=7'
GREEN_DISPLAYDRIVER=ne
Also, looking at your network configuration, you don't really need to have a router between your IPCOP and computers. You could simply use a switch and have the IPCOP giving out IP addresses and acting as a router.
In your case You may need to enter the settings manually into /var/ipcop/ethernet/settings:
1. First of all you will need to determine the IO Address and IRQ settings for both your RED and GREEN NICs. You can use the diagnostic program that came the NICs.
2. Now enter these into /var/ipcop/ethernet/settings using the NE2000 driver as the driver.
Find the following lines in /var/ipcop/ethernet/settings and enter the correct settings for your cards in RED_DRIVER_OPTIONS and
GREEN_DRIVER_OPTIONS
RED_DRIVER=ne
RED_DRIVER_OPTIONS='io=0x300 irq=5'
RED_DISPLAYDRIVER=ne
GREEN_DRIVER=ne
GREEN_DRIVER_OPTIONS='io=0x340 irq=7'
GREEN_DISPLAYDRIVER=ne
Also, looking at your network configuration, you don't really need to have a router between your IPCOP and computers. You could simply use a switch and have the IPCOP giving out IP addresses and acting as a router.
19 years 3 months ago #9479
by starcycle
Replied by starcycle on topic Re: trouble configuring IPCOP
thanks, i think i got it. i had to set the green IP to 192.168.0.1, 192.168.1.1 won't work for some reason. (?) not sure why, but that's the way it is. the router was just there temporarily for a failsafe until i got everything configured.
i have to say that although most of ipcop seems cool so far, the firewall functionality is a little disappointing. can't you make chains, or block/drop access at the IP level, a la iptables? it seems that all you can do is either block everything, or block everything while opening certain services to everyone. maybe i'm missing something, as it seems very anemic. webmin on a full linux distro with iptables would be far superior in flexibility to what i am seeing in the ipcop http gui.
thx
i have to say that although most of ipcop seems cool so far, the firewall functionality is a little disappointing. can't you make chains, or block/drop access at the IP level, a la iptables? it seems that all you can do is either block everything, or block everything while opening certain services to everyone. maybe i'm missing something, as it seems very anemic. webmin on a full linux distro with iptables would be far superior in flexibility to what i am seeing in the ipcop http gui.
thx
19 years 3 months ago #9500
by jhun
Replied by jhun on topic Re: trouble configuring IPCOP
hi,
as far as i know you can create settings in IPcop using iptables but not using the web interface but by using CLI on the machine itself..
as far as i know you can create settings in IPcop using iptables but not using the web interface but by using CLI on the machine itself..
19 years 3 months ago #9519
by DaLight
Replied by DaLight on topic Re: trouble configuring IPCOP
IPCOP has full iptables functionality, but as jhun said you have to drop down to the CLI. If you're happy with that you can setup firewall rules as you could for any other distro. I agree that this functionality is missing from the GUI.
The file to set up your own custom rules in without breaking anything else is /etc/rc.d/rc.local. An example (with comments) based on my copy is as follows:
[code:1]
#!/bin/sh
#variables defined therein
. /var/ipcop/ethernet/settings
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
# shorthand helper
IPT="/sbin/iptables"
# echo-reply
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 0 -j DROP
# echo-request
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 8 -j DROP
# Now accept the three(3) good ones
# destination-unreachable
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 3 -j ACCEPT
# redirect
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 5 -j ACCEPT
# time exceeded
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 11 -j ACCEPT
# Drop all other ICMP type data
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp -j DROP
# drop any tcp/udp packets to ports 135 - 137
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp --dport 135:137 -j DROP
$IPT -A CUSTOMINPUT -i $RED_DEV -p udp --dport 135:137 -j DROP
#restrict outgoing access
#allow full access for specific IPs
#PC1 - 192.168.111.1
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.1 -o $RED_DEV -j ACCEPT
#PC2 - 192.168.111.2
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.2 -o $RED_DEV -j ACCEPT
#allow limited access for specific IPs - in this case 192.168.111.3 tcp ports 20,21
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 21 -j ACCEPT
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 20 -j ACCEPT
#bar access for all other IPs
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.0/8 -o $RED_DEV -j DROP[/code:1]
The file to set up your own custom rules in without breaking anything else is /etc/rc.d/rc.local. An example (with comments) based on my copy is as follows:
[code:1]
#!/bin/sh
#variables defined therein
. /var/ipcop/ethernet/settings
# Flush Custom Input Rules
/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -F CUSTOMFORWARD
# shorthand helper
IPT="/sbin/iptables"
# echo-reply
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 0 -j DROP
# echo-request
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 8 -j DROP
# Now accept the three(3) good ones
# destination-unreachable
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 3 -j ACCEPT
# redirect
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 5 -j ACCEPT
# time exceeded
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp --icmp-type 11 -j ACCEPT
# Drop all other ICMP type data
$IPT -A CUSTOMINPUT -i $RED_DEV -p icmp -j DROP
# drop any tcp/udp packets to ports 135 - 137
$IPT -A CUSTOMINPUT -i $RED_DEV -p tcp --dport 135:137 -j DROP
$IPT -A CUSTOMINPUT -i $RED_DEV -p udp --dport 135:137 -j DROP
#restrict outgoing access
#allow full access for specific IPs
#PC1 - 192.168.111.1
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.1 -o $RED_DEV -j ACCEPT
#PC2 - 192.168.111.2
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.2 -o $RED_DEV -j ACCEPT
#allow limited access for specific IPs - in this case 192.168.111.3 tcp ports 20,21
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 21 -j ACCEPT
#$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.3 -o $RED_DEV -p tcp --dport 20 -j ACCEPT
#bar access for all other IPs
$IPT -A CUSTOMFORWARD -i $GREEN_DEV -s 192.168.111.0/8 -o $RED_DEV -j DROP[/code:1]
Time to create page: 0.137 seconds