This is going to be another quick and dirty guide for setting up static NAT aka 1:1 NAT aka 1 to 1 NAT on IPCOP.
Commercial grade routers are expensive beasts. A run of the mill Sonicwall Pro Firewall with DMZ support with set you back well over a thousand dollars. They’re nice but you also have to pay an extra monthly fee if you want fancy features enabled.
So you have an old PC lying around and a couple of spare network cards, or maybe you get Soekris 4801-60 ($260 see photo). And you’re thinking to yourself “Well, IPCOP is a free download, I just saved $1200 dollars!”
Not so fast buddy. IPCOP can do most of what my fancy Sonicwall did but you’re going to have to get your hands dirty.
- Very powerful on a good computer
- Intrusion detction using Snort (not intrusion prevention)
- DNS caching, transparent proxy, lots of graphs, basic QOS
- Basic VPN support
- Open Source
- Not very intuitive, can be frustrating to install
- Advanced features require add ons and text file editing
- Intrusion detction only detects, you need Guardian to beat up the intruders
- DMZ setup is quirky, no transparent DMZ mode
- Tech support limited to forums, I used to know the Sonicwall guys on a first name basis
These are the basic steps involved in getting a firewall running including a DMZ for your servers with multiple real IP addresses which will be separate from your green LAN zone. So this is a Red, Orange(DMZ), Green(LAN) setup.
* Set up aliases – This is pretty straight forward, read the manual. You’re basically telling the router about the static IPs associated with your internet connection here (at least those you’re planning on using). Our T1 came with 16 or so.
* Set up port forwarding – Again, just read the manual. Forward port 80 from your virtual IP addresses to your DMZ boxes.
Now you can visit your sites from the outside but if your server connects to an outside site it will appear to be coming from the RED interface on your firewall instead of the alias IP you set up. That’s a problem for a lot of reasons. Email, firewall rules from other machines, etc., start to freak out.
Here’s the fix:
* Turn on ssh (system, SSH status, enable)
* Use putty or whatever, to log into port 222 (not 22). (or just use the router’s keyboard/monitor)
* Edit your /etc/rc.d/rc.firewall.local file. It’s very important to put this in the right place. This should go beneath the line containing
start) and above the line containing
/sbin/iptables -t nat -I POSTROUTING -o eth1 -s 192.168.1.2 -j SNAT --to-source 184.108.40.206
Make sure you change eth1 to eth0 or whatever your red NIC is named. (go to status, network status and look for the red font). Also, change 220.127.116.11 to whatever the is external IP you want to use (same IP as used in the alias step above).
Reboot. Test it. On your DMZ server install lynx, the text based browser. For Ubuntu that’s
sudo apt-get install lynx
At the command line type
lynx -dump whatismyip.com
That should spit out something like Your IP is 18.104.22.168
If your DMZ server is running Windows just visit whatismyip.com in a web browser. It should return the IP address of the alias IP you configured earlier and NOT the IP address of your router’s red interface.
*note IPCOP will not let you simply set your DMZ servers up with real IP addresses and use transparent DMZ mode like you can with the Sonicwalls. You have to put them on a subnet separate from the red interface and port forward.
*note2 – Because IPCOP can’t support transparent DMZ mode you have to set the gateway for your DMZ boxes to the DMZ IP address of your IPCOP and not the one provided by your ISP.
*If you want to turn on intrusion prevention read the following words I found at Snort.org
Just to clarify, guardian is not an addon to ipcop, it’s just a program that read snort files and modifies the linux firewall using iptables. Once you get a good sample of your network traffic viewing snort logs, you should get a general idea of what to enable/disable in the SNORT rules. To test it, just run a port scan to the device, and then try to go into the internet from the same device. To make extra sure the blocking is done, you can vi the iptables file in /etc. You should see the ip that’s blocked. It’s not hard to set it up. What’s harder is to configure rules in snort and the ignore list of guardian.