Archive for the ‘ipcop’ Category

ntop and ipcop 1.4.20

November 23, 2009 Leave a comment

Download ntop addon from here:
transfer to /root on ipcop machine
from ssh session on icop:
cd /usr/lib
ln -s
cd /root
tar -zxvf ntop_ipcop_1.4.8.tar.gz
cd ntop
from ipcop gui, refresh view and choose NTOP from SERVICES menu
Click Start button, and refresh
There is a link now shown for Ntop Webinterface (http)


The ln -s  is necessary due to a change since ipcop v 1.4.18

Categories: ipcop, linux, networking

IPCOP traffic shaping for simple, effective qos

August 4, 2009 Leave a comment

Using the default traffic shaper works really well for simple qos needs. Set your defined rtp ports (e.g. udp 3000 and 3001) and udp 5060 and udp 4569 as high priority. Add any offending traffic (e.g. gotomeeting at udp 8200) as low or medium. Takes about 5 minutes and works like a charm!

Categories: Asterisk, ipcop, networking, VoIP

1:1 NAT (SNAT) with IPCop or other IPTables firewalls.

November 27, 2007 Leave a comment

This could be needed for any number of reasons, but I needed to do this to have two trixbox Pro servers live next to each other on the same LAN behind an IPCop firewall. They were reporting back the same IP address to the hybrid hosting source, so inbound connections to both were routing to the one server. Normally this is remedied manually by changing the externip in sip.conf, but that is set automatically with trixbox pro, and not an option.

You need to log into the firewall at the console or via ssh. You need to comment out one line to disable masquerading, and add a few more in its place:

nano /etc/rc.d/rc.firewall

#Individual machine on GREEN
/sbin/iptables -t nat -A POSTROUTING -s -j SNAT --to-source
#all other machines on GREEN
/sbin/iptables -t nat -A POSTROUTING -s -j SNAT --to-source
#all other machines on ORANGE
/sbin/iptables -t nat -A POSTROUTING -s -j SNAT --to-source
# /sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE

TFTP through IPCOP or other iptables firewalls

November 25, 2007 1 comment

TFTP uses UDP packets. The client connects from a random port to port 69, then the server connects back to the original port. This does not survive NAT (network address translation), possibly not on either end. trixbox pro and many other phone systems use TFTP for provisioning phones, so this is a problem for remote phones. Here is a fix that allows tftp traffic through an iptables based firewall (IPCop in this example).

You will need to enable ssh on the firewall and connect a session. IPCop uses non-standard port 222, and can usually only be connected to from the internal (green) network.

nano /etc/rc.d/

add these two lines:
modprobe ip_conntrack_tftp
modprobe ip_nat_tftp

Save and exit.

For immediate effect, repeat the two lines at the command prompt, or reboot the firewall. I had to repeat this on both firewalls, as IPCop firewalls were on both ends.

If using trixbox pro, you also need to make a few minor changes to the configuration files for the phones in order for the phone to try the correct server. Change the settings to where NNNN is your server number. I modified the file itself. Fonality recommends modifying the phone config on the phone once it is initially configured.

Ubuntu Network Manager and openvpn

November 8, 2007 1 comment

This worked perfectly with my Ubuntu 7.10 Gutsy Gibbon laptop. I installed the network-manager-openvpn package. I used the file I created from the openvpn ipcop page, and pulled the necessary files out of the .p12 file.

cd <path to .p12 file>
sudo su
aptitude install network-manager-openvpn
openssl pkcs12 -nocerts -in default.p12 -out userkey.pem
openssl pkcs12 -nokeys -clcerts -in default.p12 -out usercert.pem
openssl pkcs12 -nokeys -cacerts -in default.p12 -out userca.pem

MYHREN.ORG » Networkmanager and openvpn

Powered by ScribeFire.

Categories: ipcop, linux, networking, ubuntu

OpenVPN tunnel with OSX and IPCop

November 8, 2007 Leave a comment

IPCop with a plugin from Zerina and OSX software client Tunnelblick. Tunnelblick 3.0B4 works well with ZERINA-0.9.7a10. Note: the newer version of Tunnelblick would crash on a G3 iBook running Mac OS X v 10.4.1.

I followed the directions at this site and it worked easily.

Categories: ipcop, networking, OSX

Copfilter Spam Filter Problem Resolved

July 10, 2007 Leave a comment

Apparently the ix blacklist provider used by Copfilter, which is used if you choose the Razor, DCC, DNSBL option on the antipam settings, had a DDOS attack this year and as a result closed their service to non-registered users. The effect this had on my copfilter installations was the antispam scan times went from 3-6 sec to 50+ seconds. On a busy system all those scan jobs would effectively be a DDOS attack on your inbound mail. Disabling Razor, DCC and DNSBL would enable mail, but also allow through a large % of previously identified (in our case deleted) spam.

The resolution is to modify one text file manually:


What I did was copy it locally so I could cut and paste (plus make a backup of it). Then I copied it back to the firewall. You need to comment out and move the two sections about ix in the file to below the line # COPFILTER END – SPAM_SCAN_SPEEDUP

#header NIX_SPAM eval:check_rbl('nix-spam', '')
#describe NIX_SPAM Listed in NIX_SPAM DNSBL (thanks to
#tflags NIX_SPAM net
#score NIX_SPAM 2.0

#loadplugin iXhash
#body IXHASH eval:ixhashtest(‘’)
#describe IXHASH This mail has been classified as spam @ iX Magazine, Germany
#tflags IXHASH net
#score IXHASH 1.5

Then add in this known good blacklist provider:

#SPAMHAUS blacklist
header RCVD_IN_XBL_SPAMHAUS_ORG rbleval:check_rbl('relay', '')
describe RCVD_IN_XBL_SPAMHAUS_ORG Received via a relay in

If you add that in above the END – SPAM_SCAN_SPEEDUP line, it will be enabled/disabled with the others via the GUI. Then just restart the copfilter services and all is well again.

official copfilter support-forum :: Thema anzeigen – ix DNSBL requires registration of IP address

Categories: ipcop, linux, networking