Guard Your Network with IPCop, Part 3: Block Outgoing Traffic

9
13765

Blocking outgoing traffic

The first article in the series discussed IPCop 1.4.21, its basic installation and configuration. Though an excellent firewall distro, basic IPCop has limited functionality. To enhance it, various add-ons are available. We covered the installation and configuration of four important add-ons last month — Advanced Proxy, URL Filter, Update Accelerator, and Calamaris. In this third article in the series, we will cover the installation and basic configuration of “Block Outgoing Traffic”, one of the most important IPCop add-ons.

IPCop has an inherent lacuna in a very important area — it does not filter outgoing traffic based on TCP/UDP ports, but allows all outbound traffic (from the Green to the Red zone) on all ports. “URL Filter” addresses the filtering of websites only. An interesting add-on for this functionality is “Block Outgoing Traffic”, also called BlockOutTraffic or simply BOT.

With this, IPCop can filter outbound traffic based on Green IP/MAC addresses, Internet IP addresses and various services (ports), offering granular control over outgoing traffic, to conform with corporate Internet access policies. To achieve this, BOT creates iptables rules via the Web-based GUI.

It enables IPCop to divide the Green network into groups based on their IP (or MAC) addresses. These groups are then configured to access only the desired services such as HTTP, FTP, telnet, SSH, DNS, etc., either singly or by forming service groups. Control can be further tightened by allowing the services or their groups only to required Internet
addresses.

The parameters of a typical request from the internal network to the Internet include:

  • Source: the IP address and the MAC address
  • Destination: the IP address and MAC address (that of the default gateway)
  • Source: Port number (TCP or UDP)
  • Destination: Services

BOT allows the administrator to configure various groups by different parameters, as elaborated in Table 1.

Group type Group parameter
Internal computers (devices) IP or MAC address
Destination IP address
Services Services required to access destination

Note that source port number is considered not effective for filtering outgoing traffic, since it is generated by the requesting device.

To establish the access policy, BOT creates iptables rules to allow various groups of internal devices to access various groups of Internet destinations using groups of services.

Now let’s configure a typical Internet access control scenario, to help understand BOT installation and configuration, which appears tricky only until you understand the underlying concept.

We assume the IPCop box was configured as in the previous articles, with TCP 445 for Web access, TCP 800 as proxy port, and the IP address192.168.51.254. Download the BOT binaries.

As explained in earlier articles, copy the BOT binaries to the IPCop box using SCP. (Remember that the non-standard IPCop SSH port is 222 TCP.)  Log on to the IPCop console locally or via SSH and untar the binaries and install BOT:

mkdir BOT
mv ./BlockOutTraffic-3.0.0-GUI-b3.tar.gz ./BOT
cd BOT
tar -xzf BlockOutTraffic-3.0.0-GUI-b3.tar.gz
./setup

This completes the basic setup. Log out from the console/SSH. Further configuration is via the Web-based GUI, so visit it and select Firewall –> Block Outgoing Traffic. You should see something like what is shown in Figure 1.

BOT screen
Figure 1: BOT screen

Click Editto enter the settings menu. Here, you must enter the administrator PC’s MAC address and the IPCop proxy port. This is a security feature restricting IPCop Web GUI access only to this PC. Before saving the setting, re-verify both entries; if you enter the wrong values, you will be locked out of the IPCop Web-based GUI.

MAC address and proxy port configuration
Figure 2: MAC address and proxy port configuration

Next, click Enable BOT. You should see something like what’s shown in Figure 3.

BOT enabled
Figure 3: BOT enabled

Note: If you are locked out by incorrect MAC/proxy port entries, to regain access, you will require physical console access to the IPCop box, and will then have to run the following commands:

iptables -F BOT_INPUT # iptables -F CUSTOMFORWARD

After this, access the IPCop Web GUI and correct the MAC address/proxy port. Disable and immediately enable BOT.

Test configuration

Now, let’s do a test configuration to allow Internet access as detailed in Table 2. This configuration example assumes that all client browsers are configured to use IPCop proxy port 800.

Group name IP address Services allowed Service group Service ports
MailAccess 192.168.51.0/27 POP3, SMTP MailingServices 110 and 25
WebAccess 192.168.51.32/27 Internet access InternetServices IPCop Proxy

The first one allows email (POP3 and SMTP) access from the Green network to the outside (the Internet); the other from the Green network to the IPCop proxy (for Web browsing). Go to the administrator GUI’s Firewall –> Advanced BOT Configmenu option to create groups and access rules (Figure 4).

Advanced BOT configuration
Figure 4: Advanced BOT configuration

And then:

  1. Create the MailAccess list of internal PCs. Under Address Settings, configure MailAccess as Name, 192.168.51.0 as the IP address and 255.255.255.224 (CIDR /27) as the subnet mask.
  2. Create the WebAccess list of internal PCs. Under Address Settings, enter WebAccess, 192.168.51.32 and 255.255.255.224 respectively. Figure 5 shows the created rules.

    Creating groups
    Figure 5: Creating groups
  3. Create the IPCop Proxy custom service. Under Services Settings, enter Service Name as IPCopProxy, Port as 800 (the port defined in Services –> Proxy or Advproxy) and select the TCP Protocol.
  4. Create the MailingServices group. Under Service Grouping, supply MailingServices as the Service Group Name. Select and add the POP and SMTP services from Default Services, as shown in Figure 6.

    Creating the MailingServices group
    Figure 6: Creating the MailingServices group
  5. Now, the final step is to create Access Control rules. Proceed to Firewall –> Block Outgoing Traffic and click on New Rule. Create the rule by selecting the following parameters:
    • Source: Default network: Custom Address — MailAccess
    • Destination: Other Network/Outside: Default networks: Any
    • User Services: Service Groups: MailingServices
  6. Click Rule enabled, add a meaningful remark for this rule, like “MailAccess PCs can use MailingServices” and click Next. Here, you can review the rule. Click Save to create the rule.

Internet access is to be allowed only through the IPCop Proxy. Create an access rule for the WebAccess PCs, to permit access to the IPCop Proxy service:

  • Source — Custom addresses — WebAccess
  • Destination — IPCop Access — User Services — Custom services: IPCopProxy
  • Rule Enabled
  • Remark — WebAccess PCs can access IPCop Proxy

Save the rule.

All BOT rules are available for viewing, editing and duplicating from the Firewall –> Block Outgoing Traffic link. This completes BOT configuration. The access controls in Table 2 are implemented. WebAccess PCs can browse the Internet, but cannot access emails via email clients, while MailAccess PCs can use mail clients but cannot browse the Internet.

Configuration verification

Try browsing the Web from a PC with an address not mentioned in the WebAccess range, say 192.168.51.25. The browsing does not work, and the log confirms this by showing GREEN DROP under the Chain column. The log shows Dst Port as 800, by its default service, MDBS_DAEMON.

Now, try browsing the Internet from a PC with an address in the WebAccess range, say 192.168.51.35 — and as expected, it works. You can also check Logs –> Proxy Logs in the IPCop Web GUI to confirm this. You can further check POP and SMTP access from email clients on computers in the two groups, and see if it works as desired.

Firewall Log denying Internet Access
Figure7: Firewall Log denying Internet Access

Troubleshooting

A few services may stop functioning after enabling BOT. This is because BOT blocks all traffic that is not explicitly allowed. Go to your BOT settings and enable the logging of packets that have not matched a BOT rule. Re-enable BOT and try your service again. Then look into the IPCop firewall logs under Logs –> Firewall Log for the blocked traffic — to get hints about which rule is missing. Now you should be able to create the missing BOT Accept rule.

9 COMMENTS

  1. Why did you write an entire article (written just last month) about ipcop 1.4.21 when ipcop 2.0.4 is the current version and it’s been out in the major 2.x version since Sept 2011?

    •  The most important reason – many addons are still not available for the latest version, 1.4.21 works perfect without any trouble  even today.

      Please check the same column June onwards for 2.0 series.

      Thanks,
      Rajesh

  2. As you pointed out correctly, it does use IPTables, here are few important points:

    User can configure the firewall easily from the web based interface.
    Several functionalities such as IPSec VPN, time server are built in.

    With several addons, the functionality goes to excellent levels, such
    as OpenVPN server, URL Filter with auto blacklist updates, etc.

  3. Please i need your help: i want just limit the Pop3 download with IPCop, is it possible? I suppose that with BOT i can only block the port but i just want to limit (for exemple 50kb) the pop3 download in order to avoid bad HDSL performance.

  4. I have installed the BOT on my IPCop 2.1.4 but after installing the BOT I am not able to access any firewall feature from WebConsole and I am also getting error on CLI mode as well.

    Error Message:

    Can’t locate /var/ipcop/general-functions.pl in @INC (@INC contains:
    /usr/lib/perl5/5.10.1/i486-linux /usr/lib/perl5/5.10.1
    /usr/lib/perl5/site_perl/5.10.1/i486-linux
    /usr/lib/perl5/site_perl/5.10.1 .) at /home/httpd/cgi-bin/fwrules.cgi
    line 54.

    For help, please send mail to the webmaster (root@localhost), giving this error message and the time and date of the error.

    Could you please help me to resolve this error?

LEAVE A REPLY

Please enter your comment!
Please enter your name here