IPCop.org FAQs (frequently-asked questions)

To forward traffic to an internal web server you need to:

Open the web interface to IPCop.

Select the Services/External Service Access menu item.

Add an entry for:

TCP
Add an address* or blank for access from any address
Port 80
Check the Enabled box

Press the SAVE button.

Then select "Port Forwarding"

Add an entry for:

TCP, Source Port=80, IP address of your web server, Destination Port=80
Ensure the Enabled box is checked

Press the ADD button.

You should now have WWW forwarding to your internal web server.

Since Code Red and Nimda some ISP's have blocked port 80 (www) for their consumers. So although you will have port 80 set up correctly, your ISP could be blocking traffic to that port. Talk to your ISP to see if they have this policy in place. If you want to work around this you could expose port 82, 8080 etc (i.e. not port 80) and browse to that address:address instead.

There are two different modes of communication used by ftp, active and passive mode. Active mode is pretty simple to forward but passive mode needs a bit more work to forward. Passive mode is usually used by users behind a firewall and also by most webbrowsers.

To forward active mode traffic to an internal ftp server you need to:

Open the web interface to IPCop.

Select the Services/External Service Access menu item.

Add an entry for:

TCP
Add an address* or blank for access from any address
Port 21
Check the Enabled box

Press the SAVE button.

Then select "Port Forwarding"

Add an entry for:

TCP, Source Port=21, IP address of your ftp server, Destination Port=21
Ensure the Enabled box is checked

Press the ADD button.

You should now have a working forwarding of active ftp to your internal ftp server. Now lets add configuration for passive ftp.

Passive ftp uses high ports for the data communication of ftp, if you don't want to add heaps of ports to your port forward configuration you will have to configure your ftp-server to use some specified ports, in proftpd this is done by adding a "PassivePorts" directive in your configuration, in wuftpd you use the "passive ports" configuration in the ftpaccess, etc.
Now that you have limited the passive ports you need to forward them to your internal ftp-server
To forward your passive ports to your internal ftp server:

Open the web interface to IPCop.

Select "Port Forwarding"

Add an entry for:

TCP, Source Port="your passive port", IP address of your ftp server, Destination Port="your passive port"
Ensure the Enabled box is checked

Press the ADD button.
Do this for all the ports you have configured your ftp-server to use in passive mode.
Now we have to fix a feature (present at least in version 0.1.1) in IPCop masqerading. Open a shell on your IPCop machine with ssh or on the console. Use vi to edit the file /etc/rc.d/rc.network and change the line:
"modprobe ip_masq_ftp ports=21,2121"
to:
"modprobe ip_masq_ftp in_ports=21"

Now restart your ftp-server and your IPCop computer to enable your changes and ftp should work both in active and passive mode.

To forward traffic to an internal SSH server you need to:

Open the web interface to IPCop.

Select the Services/External Service Access menu item.

Add an entry for:

TCP Add an address or blank for access from any address Port 22 (or another port if you prefer) Check the Enabled box

Press the SAVE button.

Then select "Port Forwarding"

Add an entry for:

TCP, Source Port=22 (or the port entered above), IP address of your SSH server, Destination Port=22

Ensure the Enabled box is checked

Press the ADD button.

You should now have external access to your SSH server. To test access to the server, from a machine on the outside network do:

telnet MY_EXTERNAL_IP_ADDRESS 22 (Substitute the appropriate number for 22 if you used a non-standard port above)

You should see a banner from your SSH server. For example:

# telnet myserver.com 22
Trying 64.28.67.251...
Connected to myserver.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.1p1
^]
telnet> quit
Connection closed.

Remember to SSH Remotely to IPCop just add port 222 to the external services, do not forward any ports.
[x] 1.1 [x]1.2 [x]1.3 All versions

Open the web interface to IPCop.

Select the Services/External Service Access menu item.

Add entries for:

TCP Add an address or blank for access from any address Port 5900 (or another port if you prefer) Check the Enabled box

Press the SAVE button.

TCP Add an address or blank for access from any address Port 5901 (or another port if you prefer) Check the Enabled box

Press the SAVE button.

Then select "Port Forwarding"

Add entries for:

TCP, Source Port=5900 (or the port entered above), IP address of your VNC server, Destination Port=5900

TCP, Source Port=5901 (or the port entered above), IP address of your VNC server, Destination Port=5901

Ensure the Enabled box is checked

Press the ADD button.

You should now have external access to your VNC server.


[x] 1.1 [x]1.2 [x]1.3 All versions

Open the web interface to IPCop.

Select the Services/External Service Access menu item.

Add entries for:

TCP Add an address or blank for access from any address Port 5631 (or another port if you prefer) Check the Enabled box

Press the SAVE button.

UDP Add an address or blank for access from any address Port 5632 (or another port if you prefer) Check the Enabled box

Press the SAVE button.

Then select "Port Forwarding"

Add entries for:

TCP, Source Port=5631 (or the port entered above), IP address of your PCAnywhere server, Destination Port=5631

UDP, Source Port=5632 (or the port entered above), IP address of your PCAnywhere server, Destination Port=5632

Ensure the Enabled box is checked

Press the ADD button.

You should now have external access to your PCAnywhere server.


[x] 1.1 [x]1.2 [x]1.3 All versions

You are unable to access public servers by name from the Green network. This is because the public DNS name is resolving to your Red IP address (or one of your Red aliases) and the port forwarder will only forward packets that appear on the Red interface not the Green.

The preferred way to get around this is to make the public DNS name resolve to the private IP address for client machines on the Green network. If IPCop is providing DNS for the Green network then is is a simple matter of adding the private IP address and public host name to /etc/hosts.

Login to the IPCop console as root and edit a file named /etc/hosts.

Do not remove or change the first two lines of /etc/hosts!

Example /etc/hosts

127.0.0.1 localhost
192.168.1.x ipcop

# Add comments if you like.

192.168.2.1 www.mypublicwebserver.com
# To enable internal access to public webserver on Orange

192.168.2.2 mail.mypublicmailserver.org
# To enable internal access to public mailserver on Orange


Reboot and you are done.

If you are using a different internal DNS server, you will need to edit the configuration so that it will resolve the public host name to the private IP address. You could also try setting it up to act as a forwarder to the IPCop box - in this case it will resolve hosts it knows about, anything else gets forwarded to the IPCop box. If you don't use internal DNS for some reason, you can try editing the hosts file on each of the machines on the Green network. Detailed instructions on how to do this are beyond the scope of this FAQ.

You can test public access to your webserver by using a web proxy (usually provided by your ISP). An anonymiser site works as well.


[x] 1.1 [x]1.2 [x]1.3 All versions

Add a new ipchains rule to the /etc/rc.d/firewall.up script. The example below will block all connections from the green network 192.168.1.0 on port 5190 used by AOL:

ipchains -I input -j DENY -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 5190

*******IPCop 1.3 uses IP Tables an update is required


[x] 1.1 [x]1.2 [ ]1.3 Version 1.1 and 1.2 only

Unanswered, but suggested question

Unanswered, but suggested question

Laplink: www.laplink.com/support/kb/article.asp?ID=633