EBOX 1.2

7/28/2019 EBOX 1.2

1/207

eBox 1.2 for Network Administrators

REVISION1. 2

EBOX PLATFORM - TRAINING

http://www.ebox-technologies.com/

STUDENT GUIDE

7/28/2019 EBOX 1.2

2/207


This document is distributed under Creative Commons Attribution-Share Alike license version 2.5

( http://creativecommons.org/licenses/by-sa/2.5/ )

This document uses images from Tango Desktop Project also distributed under Creative Com-

mons Attribution-Share Alike license version 2.5.

http://tango.freedesktop.org/

7/28/2019 EBOX 1.2

3/207

Contents

1 eBox Platform: unified server for SMEs 1

1.1 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

1.2.1 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

1.3 Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

1.4 How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

1.5 Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.5.1 Local network configuration . . . . . . . . . . . . . . . . . . . . . . . . . 16

1.5.2 Network configuration with eBox Platform . . . . . . . . . . . . . . . . . . 17

1.5.3 Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

2 eBox Infrastructure 25

2.1 Network configuration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 25

2.1.1 DHCP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 26

2.2 Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

2.2.1 DNS cache server configuration with eBox . . . . . . . . . . . . . . . . . 31

2.2.2 DNS server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 32

2.3 Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . . 35

2.3.1 Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . 35

2.3.2 The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . 38

2.3.3 Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

2.3.4 HTTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 39

2.3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

2.4 Time synchronization service (NTP) . . . . . . . . . . . . . . . . . . . . . . . . 42

2.4.1 NTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 42

3 eBox Gateway 45

3.1 High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 45

3.1.1 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

i

7/28/2019 EBOX 1.2

4/207

3.1.2 Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.2 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3.2.1 The firewall in GNU/Linux: Netfilter . . . . . . . . . . . . . . . . . . . . . 51

3.2.2 eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

3.2.3 Firewall configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . 52

3.2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.2.5 Suggested exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

3.3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.3.1 Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

3.3.2 Multirouter rules and load balancing . . . . . . . . . . . . . . . . . . . . . 62

3.4 Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.4.1 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . 65

3.4.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

3.5 HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

3.5.1 Access policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . 69

3.5.2 Client connection to the proxy and transparent mode . . . . . . . . . . . . 71

3.5.3 Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

3.5.4 Web content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

4 eBox Office 79

4.1 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.1.1 Users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

4.2 File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . 85

4.2.1 File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

4.2.2 SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . 86

4.2.3 Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . 86

4.2.4 eBox as file server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

4.2.5 SMB/CIFS clients configuration . . . . . . . . . . . . . . . . . . . . . . . 89

4.2.6 eBox as authentication server . . . . . . . . . . . . . . . . . . . . . . . . 92

4.2.7 PDC Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 94

4.3 Printers sharing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

4.3.1 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

4.4 Groupware Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984.4.1 Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . . 99

4.4.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

5 eBox Unified Communications 105

5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . . 105

5.1.1 How electronic mail works through the Internet . . . . . . . . . . . . . . . 106

ii

7/28/2019 EBOX 1.2

5/207

5.1.2 SMTP/POP3-IMAP4 server configuration with eBox . . . . . . . . . . . . . 1075.2 Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . . 114

5.2.1 Configuring a Jabber/XMPP server with Ebox . . . . . . . . . . . . . . . . 114

5.2.2 Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . 116

5.2.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

5.3 Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

5.3.1 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

5.3.2 Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

5.3.3 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

5.3.4 Asterisk server configuration with eBox . . . . . . . . . . . . . . . . . . . 124

5.3.5 Configuring a softphone to work with eBox . . . . . . . . . . . . . . . . . 127

5.3.6 Ekiga (Gnome) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

5.3.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

6 eBox Unified Threat Manager 133

6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

6.1.1 Mail filter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . 134

6.1.2 External connection control lists . . . . . . . . . . . . . . . . . . . . . . 141

6.1.3 Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . 142

6.1.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

6.1.5 Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

6.2 HTTP Proxy advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . 145

6.2.1 Group based filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

6.2.2 Group-based filtering for objects . . . . . . . . . . . . . . . . . . . . . . 146

6.2.3 Filter profiles configuration . . . . . . . . . . . . . . . . . . . . . . . . . 146

6.2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

6.3 Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . 149

6.3.1 Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . 149

6.3.2 Public Key Infrastructure (PKI) with a Certification Authority (CA) . . . . . . . 149

6.3.3 CA configuration with eBox Platform . . . . . . . . . . . . . . . . . . . . 151

6.3.4 Configuring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . . 153

6.4 Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . 163

6.4.1 Setting up an IDS with eBox . . . . . . . . . . . . . . . . . . . . . . . . 1646.4.2 IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

6.4.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

7 eBox Core 167

7.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

7.1.1 Logs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

iii

7/28/2019 EBOX 1.2

6/207

7.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737.2.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

7.2.2 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

7.2.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

7.3 Events and alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

7.3.1 Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

7.3.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

7.4 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

7.4.1 The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . 183

7.4.2 Backup configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . 184

7.4.3 How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . 189

7.4.4 Configuration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

7.4.5 Command line tools for configuration backups . . . . . . . . . . . . . . . . 195

7.5 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

7.5.1 Management of eBox components . . . . . . . . . . . . . . . . . . . . . 196

7.5.2 System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

7.5.3 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

7.5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Index 201

iv

7/28/2019 EBOX 1.2

7/207

Chapter 1

eBox Platform: unified server for SMEs

1.1 Presentation

eBox Platform () is a unified network server that offers easy and efficient

computer network management for small and medium enterprises (SMEs). eBox Platform can act as

a Network Gateway, a Unified Threat Manager (UTM) 1, an Office Server, an Infrastructure Manager,

a Unified Communications Server or a combination of them. This manual is written for the 1.2 version

of eBox Platform.

All these functionalities are fully integrated and therefore automate most tasks, prevent manual

errors and save time for system administrators. This wide range of network services is managed

through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in

each server only the necessary modules and easily extend the functionality according to your needs.

Besides, eBox Platform is released under a free software license (GPL) 2. The main features are:

Unified and efficient management of the services:

Task automation.

Service integration.

Easy and intuitive interface.

1 UTM (Unified Threat Management): Term that groups a series of functionalities related to computer network security:

firewall, intrusion detection, antivirus, etc.2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of

derivative works with the same license.

1
http://ebox-platform.com/http://ebox-platform.com/

7/28/2019 EBOX 1.2

8/207


Extendable and adaptable to specific needs.

Hardware independent.

Open source software.

The services currently offered are:

Network management:

Firewall and router

* Traffic filtering

*NAT and port redirection

* Virtual local networks (VLAN 802.1Q)

* Support for multiple gateways, load balancing and self-adaptation in case of loss of

connectivity

* Traffic shaping (with application-level filtering support)

* Traffic monitoring

* Dynamic DNS support

High-level network objects and services

Network infrastructure

* DHCP server

* DNS server

* NTP server

Virtual private networks (VPN)

* Dynamic auto-configuration of network paths

HTTP proxy

* Cache

* User authentication

* Content filtering (with categorized lists)

* Transparent antivirus

2

7/28/2019 EBOX 1.2

9/207

CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES

Mail server

* Spam filtering and antivirus

* Transparent POP3 filter

* White-, black- and grey-listing

Web server

* Virtual domains

Intrusion Detection System (IDS)

Certification Authority

Groupware:

Shared directory using LDAP (Windows/Linux/Mac)

* Shared authentication (including Windows PDC)

Shared storage as NAS (Network-attached storage)

Shared printers

Groupwareserver: calendars, address books, ...

VoIP server

* Voicemail

* Meetings

* Calls through outside vendor

Instant messaging server (Jabber/XMPP)

* Meetings

User corner to allow users to modify their data

Reports and monitoring

Dashboard to centralize the information

Disk, memory, load, temperature and host CPU monitoring

Software RAID status and information regarding the hard drive use

3

7/28/2019 EBOX 1.2

10/207


Network service logs in databases, allowing you to have daily, weekly monthly and annual

reports

Event-based system monitoring

* Notification via Jabber, mail and RSS

Host management:

Configuration and data backup

Updates

Control Center to easily administer and monitor multiple eBox hosts from one central point3

1.2 Installation

In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This

does prevent you from installing other unmanaged services, but these must be manually configured.

eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of

Ubuntu Server Edition distribution 4. The installation can be done in two different ways:

Using the eBox Platform Installer (recommended).

Installing from an existing Ubuntu Server Edition installation.

In the second case, you need to add the official eBox Platform repositories and to install the

packages you are interested in.

Nevertheless, in the first case eBox Platform installation and deployment is easy as all the de-

pendencies are in a single CD and in addition, some pre-configuration is made during the installation

process.

4

7/28/2019 EBOX 1.2

11/207


Figure 1.1: Installer home screen

Figure 1.2: Selection of the installation method

5

7/28/2019 EBOX 1.2

12/207


1.2.1 eBox Platform installer

The eBox Platform installer is based on the Ubuntu installer and therefore those who are already

familiar with it will find the installation process very similar.

After installing the base system and rebooting, you can start installing eBox Platform. There are

two methods for selecting the functionalities you want to include in your system.

Simple: Depending on the task the server will be dedicated to, you can install a set of packages that

provides several functionalities.

Advanced: You can select the packages individually. If a package has dependencies on other pack-ages, these will be automatically selected later.

If you select the simple installation method, you get a list of available profiles. As shown in the

figure Selection of the profiles, the mentioned list matches the following paragraphs of this manual.

Figure 1.3: Selection of the profiles

eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet ac-

cess.

eBox Unified Threat Manager: eBox protects the local network against external attacks, intrusions,

internal security threats and enables secure interconnection between local networks via Internet

or via other external networks.

eBox Infrastructure: eBox manages the local network infrastructure including the following basic ser-

vices: DHCP, DNS, NTP, HTTP server, etc.

3 For additional information regarding the Control Center, please visit: http://www.ebox-

technologies.com/products/controlcenter/the company behind eBox Platform development.4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and

servers .

6
http://www.ebox-technologies.com/products/controlcenter/http://www.ebox-technologies.com/products/controlcenter/http://www.ubuntu.com/http://www.ubuntu.com/http://www.ebox-technologies.com/products/controlcenter/http://www.ebox-technologies.com/products/controlcenter/

7/28/2019 EBOX 1.2

13/207


eBox Office: eBox is an office server that allows sharing the following resources through the local

network: files, printers, calendars, contacts, authentication, users and groups profiles, etc.

eBox Unified Communications: eBox becomes the unified communications server of your organi-

zation, including mail, instant messaging and voice over IP.

You can select several profiles to combine different functionalities. In addition, the selection is not

final and later you can install and remove packages according to your needs.

However, if you select the advanced installation method, you get the complete list of eBox Platform

modules and you can select individually the modules you are interested in. Once you have completed

the selection, also the necessary additional packages will be installed.

Figure 1.4: Selection of the modules

After you have selected the components to install, the installation process will begin and you will

be shown a progress bar with the installation status.

Once the installation is completed, you are requested to enter a password to access the eBox

Platform web administration interface:

7

7/28/2019 EBOX 1.2

14/207


Figure 1.5: Installing eBox Platform

You need to confirm the inserted password:

8

7/28/2019 EBOX 1.2

15/207


The installer will try to pre-configure some important configuration parameters. First, it will ask

if some of the network interfaces are external (not within the local network), i.e., used to connect to

the Internet. Strict policies for all incoming traffic through external network interfaces will be applied.

Depending on the role the server plays, there might be no external interfaces at all.

Figure 1.6: Selection of the external interface

Second, if you installed the mail module, you will be requested to enter the default virtual domain

that will be the main virtual domain of the system.

Once you have answered these questions, each module you installed will be pre-configured and

ready to be used via the web interface.

After this process is completed, a message informs you about how to connect to the web interface

of eBox Platform.

9

7/28/2019 EBOX 1.2

16/207


Figure 1.7: Primary virtual mail domain

Figure 1.8: Configuration progress

Figure 1.9: Installation completed

10

7/28/2019 EBOX 1.2

17/207


Once the eBox Platform installation process is completed you get a system console to authenticate

with the user created during the Ubuntu installation. eBox Platform password is exclusive to the web

interface and it has nothing to do with the administrator user password of the host. When you log in to

the console, you will get the following eBox Platform specific message:

1.3 Administration web interface

Once you have installed eBox Platform, you can access the administration web interface at the follow-

ing URL:

https://network_address/ebox/

Here network_address is the IP address or a host name that resolves to the address where eBox

is running.

The first screen will ask for the administrator password:

After authentication you get the administration interface that is divided into three main sections:

Left side menu: Contains links to all services, separated by categories, that can be configured using

eBox. When you select a service, you might get a submenu to configure specific details of the

selected service.

11
https://network_address/ebox/https://network_address/ebox/

7/28/2019 EBOX 1.2

18/207


Figure 1.10: Main screen

Figure 1.11: Left side menu

12

7/28/2019 EBOX 1.2

19/207


Top menu: Contains actions to save the changes made to the content, make the changes effective

and close the session.

Figure 1.12: Top menu

Main content: The main content is composed of one or several forms or tables with information about

the service configuration and depends on the selection made in the left side menu and sub-menus. Sometimes you will get a tab bar at the top of the page: each tab represents a different

subsection within the section you have accessed.

Figure 1.13: Configuration form

Dashboard: The dashboard is the initial screen of the web interface. It contains a number of config-

urable widgets. You can reorganize them at any moment simply by clicking and dragging the

titles.

By clicking on Configure Widgets the interface changes, allowing you to remove and add new

widgets. To add a new widget, you search for it in the top menu and drag it to the main part of

the page.

An important detail to take into account is the method eBox uses to apply the configuration

changes made through the interface. First of all, you have to accept changes in the current form,

but, once this is done, to make these changes effective and apply them on a permanent basis, you

13

7/28/2019 EBOX 1.2

20/207


Figure 1.14: Dashboard

Figure 1.15: Dashboard configuration

14

7/28/2019 EBOX 1.2

21/207


must click on Save Changes from the top menu. This button will change to red if there are unsaved

changes. Failure to follow this procedure will result in the loss of all changes you have made through-

out the session once you log out. There are some special cases when you dont need to save the

changes, but in these cases you will receive a notification.

Figure 1.16: Save changes

1.4 How does eBox Platform work?

eBox Platform is not just a simple web interface to manage the most common network services 5. One

of the main goals of eBox Platform is to unify a set of network services that otherwise would work

independently.

All configuration of individual services is handled automatically by eBox. To do this eBox uses a

template system. This automation prevents manual errors and saves administrators from having to

know the details of each configuration file format. As eBox manages automatically these configuration

5 You get longer support than on the normal version. With the LTS version you get 5 years of support on the server.

15

7/28/2019 EBOX 1.2

22/207


files, you must not edit the original files as these will be overwritten as soon you save any configuration

changes.

Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are

divided in the following files:

/var/log/ebox/ebox.log: Errors related to eBox Platform.

/var/log/ebox/error.log: Errors related to the web server.

/var/log/ebox/access.log: Every access to the web server.

If you want more information about an error that has occurred, you can enable the debuggingmode by selecting the debug option in the /etc/ebox/99ebox.conf file. Once you have enabled this

option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.

1.5 Location within the network

1.5.1 Local network configuration

eBox Platform can be used in two different ways:

Router and filter of the Internet connection.

Server of different network services.

Both functionalities can be combined in a single host or divided among several hosts.

The figure Different locations within the network displays the different locations eBox Platform

server can take in the network, either as a link between networks or a server within the network.

Figure 1.17: Different locations within the network

16

7/28/2019 EBOX 1.2

23/207


Throughout this documentation you will find out how to configure eBox Platform as a router and

gateway. You will also learn how to configure eBox Platform in the case it acts as just another server

within the network.

1.5.2 Network configuration with eBox Platform

If you place a server within a network, you will most likely be assigned an IP address via DHCP pro-

tocol. Through Network Interfacesyou can access each network card detected by the system and

you can select between a static configuration (address configured manually), dynamic configuration

(address configured via DHCP) or a Trunk 802.1Q to create VLANs.

Figure 1.18: Network interface configuration

If you configure a static interface, you can associate one or more Virtual Interfaces to this real

interface to serve additional IP addresses. These can be used to serve different networks or the same

network with different address.

To enable eBox to resolve domain names, you must indicate the address of one or several domain

name servers in Network DNS.

1.5.3 Network diagnosis

To check if you have configured the network correctly, you can use the tools available in Network

Diagnosis.

Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular

remote host is reachable by means of a simple echo request.

17

7/28/2019 EBOX 1.2

24/207


Figure 1.19: Static configuration of network interfaces

Figure 1.20: Configuration of DNS servers

Figure 1.21: Network diagnosis tools

18

7/28/2019 EBOX 1.2

25/207


Figure 1.22: Ping tool

19

7/28/2019 EBOX 1.2

26/207


Additionally you can use the traceroute tool that is used to determine the route taken by packages

across different networks until reaching a given remote host. This tool allows to trace the route the

packages follow in order to carry out more advanced diagnosis.

Figure 1.23: Traceroute tool

Besides, you can use the dig tool, which is used to verify the correct functioning of the name

service resolution.

Practical example A

Lets configure eBox so that it obtains the network configuration via DHCP.

Therefore:

1. Action: Access the eBox interface, go to Network Interfaces and, as network interface,

select eth0. Then choose the DHCP method. Click on Change.

20

7/28/2019 EBOX 1.2

27/207


Figure 1.24: Dig tool

21

7/28/2019 EBOX 1.2

28/207


Effect: You have enabled the button Save Changes and the network interface maintains the

entered data.

2. Action: Go to Module status and enable the Network module, in order to do this, check the

box in the Status column.

Effect: eBox asks for permission to overwrite some files.

3. Action: Read the changes that are going to be made in each modified file and grant eBox the

permission to overwrite them.

Effect: You have enabled the button Save Changes and you can enable some of the modules

that depend on Network.

4. Action: Save the changes.

Effect: eBox displays the progress while the changes are implemented. Once it has finished,

you are notified.

Now eBox manages the network configuration.

5. Action: Access Network Diagnosis tools. Ping ebox-platform.com.

Effect: As a result, you are shown three successful connection attempts to the Internet server.

6. Action: Access Network Diagnosis tools. Ping the eBox of a fellow classmate.

Effect: As a result, you are shown three successful connection attempts to the host.

7. Action: Access Network Diagnosis tools. Run a traceroute to ebox-technologies.com.

Effect: As a result, you are shown a route of all the intermediate routers a packet traverses

until it reaches the destination host.

Practical example B

For the rest of the exercises of the manual, it is a good practice to enable the logs.

Therefore:

1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order

to do this, check the box in the Status column.

Effect: eBox asks for permission to carry out a series of actions.

2. Action: Read the actions that are going to be made and accept them.

22

7/28/2019 EBOX 1.2

29/207


Effect: You have enabled the button Save Changes.


Effect:

eBox displays the progress while the changes are implemented. Once it has fin-

ished, you are notified.

Now eBox has enabled the logs. You can check them at Logs Query logs in the

section Logs.

23

7/28/2019 EBOX 1.2

30/207


24

7/28/2019 EBOX 1.2

31/207

Chapter 2

eBox Infrastructure

This section explains several of the services to manage and optimize internal traffic and the infrastruc-

ture of your local network, including domain management, automatic network configuration in network

clients, publication of internal Web sites and time synchronization using the Internet. The configuration

of these services requires great efforts, although they are easier to configure with eBox.

The DHCP service is widely used to automatically configure different network parameters, such

as the IP address of a host or the gateway to be used for Internet access.

The DNS service provides access to services and hosts using names instead of IP addresses,

which are more difficult to memorize.

Many businesses use Webapplications to which only internal access is available.

2.1 Network configuration service (DHCP)

As indicated, DHCP (Dynamic Host Configuration Protocol) is a protocol that enables a device to

request and obtain an IP address from a server with a list of available addresses to assign.

The DHCP service 1 is also used to obtain many other parameters, such as the default gateway,

the network mask, the IP addresses for the name serversor the search domain, among others. Hence,

access to the network is made easier, without the need for manual configuration by clients.

When a DHCP client connects to the network, it sends a broadcast request and the DHCP server

responds to valid requests with an IP address, the lease time granted for that IP and the parameters

1 eBox uses ISC DHCP Software (https://www.isc.org/software/dhcp) to configure the DHCP service.

25
https://www.isc.org/software/dhcphttps://www.isc.org/software/dhcphttps://www.isc.org/software/dhcp

7/28/2019 EBOX 1.2

32/207


explained above. The request normally occurs during the client booting period and must be completed

before going on with the remaining network services.

There are two ways of assigning addresses:

Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings,

entered manually by the administrator.

Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process

that uses the lease concept with a controlled period in which the granted IP remains valid. The

server keeps a table with the previous assignments to try to reassign the same IP to a client in

successive requests.

2.1.1 DHCP server configuration with eBox

To configure the DHCP service with eBox, at least one statically configured interface is required. Once

this is available, go to the DHCP menu, where the DHCP server can be configured.

As indicated above, some network parameters can be sent with the IP address. These parameters

can be configured in the Common options tab.

Default gateway: This is the gateway to be used by the client if it is unaware of another route to

send the package to its destination. Its value can be eBox, a gateway already configured in theNetwork Routers section or a custom IP address.

Search domain: In a network with hosts named in line with .domain.com, the search domain

can be configured as domain.com. Hence, when seeking to resolve an unsuccessful domain

name, another attempt can be made by adding the search domain to the end of it.

For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the

client host.

The search domain can be entered or one configured in the DNS service can be selected.

Primary name server: This is the DNS server that the client will use when a name is to be resolved

or an IP address needs to be translated into a name. Its value can be eBox (if the eBox DNS

server is to be queried) or an IP address of another DNS server.

Secondary name server: DNS server that the client will use if the primary one is not available. Its

value must be the IP address of a DNS server.

26

7/28/2019 EBOX 1.2

33/207

CHAPTER 2. EBOX INFRASTRUCTURE

Figure 2.1: Overview of DHCP service configuration

27

7/28/2019 EBOX 1.2

34/207


The common options display the ranges of addresses distributed by DHCP and the addresses

assigned manually. For the DHCP service to be active, there must be at least one range of addresses

to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if

the service is listening on all the network interfaces.

The ranges of addresses and the static addresses available for assignment from a certain inter-

face are determined by the static address assigned to that interface. Any free IP address from the

corresponding subnet can be used in ranges or static assignments.

To add a new range, click on Add new in the Ranges section. Then enter a name by which to

identify the range and the values to be assigned within the range appearing above.

Static assignments of IP addresses are possible to determined physical addresses in the Static

assignments section. An address assigned in this way cannot form part of any range.

Figure 2.2: Appearance of the advanced configuration for DHCP

The dynamic granting of addresses has a deadline before which renewal must be requested (con-

figurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assign-ments do not expire and, therefore, are unlimited leases.

A Lightweight Client is a special machine with no hard drive that is booted via the network by

requesting the booting image (operating system) from a lightweight client server.

28

7/28/2019 EBOX 1.2

35/207


eBox allows the PXE server 2 to which the client must connect to be configured. The PXE service,

which is responsible for transmitting everything required for the lightweight client to be able to boot its

system, must be configured separately.

The PXE server may be an IP address or a name, in which case the path to the boot image or

eBox must be indicated, in which case the image file can be loaded.

Practical example

Configure the DHCP service to assign a range of 20 network addresses. Check from another client

host using dhclient that it works properly.

To configure DHCP, the Network module must be enabled and configured. The network interface

on which the DHCP server is to be configured must be static (manually assigned IP address) and the

range to assign must be within the subnet determined by the network mask of that interface (e.g. range

10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0).

1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP

module by marking its checkbox in the Status column.

Effect: eBox requests permission to overwrite certain files.

2. Action: Read the changes of each of the files to be modified and grant eBox permission tooverwrite them.

Effect: The Save changes button has been enabled.

3. Action: Enter DHCP and select the interface on which the server is to be configured. The gate-

way may be eBox itself, one of the eBox gateways, a specific address or none (no routing

to other networks). Furthermore, the search domain (domain added to all DNS names

that cannot be resolved) can be defined along with at least one DNS server (primary DNS

server and optionally a secondary one).

eBox then indicates the range of available addresses. Select a subset of 20 addresses

and in Add new give a significant name to the range to be assigned by eBox.


2 Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage

devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment)

29
http://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environment

7/28/2019 EBOX 1.2

36/207


Effect: eBox displays the progress while the changes are being applied. Once this is complete

it indicates as such.

eBox now manages the DHCP server configuration.

5. Action: From another PC connected to this network, request a dynamic IP from the range

using dhclient:

$ sudo dhclient eth0

There is already a pid file /var/run/dhclient.pid with pid 9922

killed old client process, removed PID file

Internet Systems Consortium DHCP Client V3.1.1Copyright 2004-2008 Internet Systems Consortium.

All rights reserved.

For info, please visit http://www.isc.org/sw/dhcp/

wmaster0: unknown hardware address type 801

wmaster0: unknown hardware address type 801

Listening on LPF/eth0/00:1f:3e:35:21:4f

Sending on LPF/eth0/00:1f:3e:35:21:4f

Sending on Socket/fallback

DHCPREQUEST on wlan0 to 255.255.255.255 port 67

DHCPACK from 10.1.2.254bound to 10.1.2.1 -- renewal in 1468 seconds.

6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is dis-

played.

2.2 Name resolution service (DNS)

As explained, the function of the DNS (Domain Name System) is to convert hostnames that are read-

able and easy to remember by users into IP addresses and vice versa. The name domain system is a

tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for

domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.

30

7/28/2019 EBOX 1.2

37/207


2.2.1 DNS cache server configuration with eBox

A name server can act as a cache 3 for queries that it cannot respond to. In other words, it will initially

query the appropriate server, as it is based on a database without data, but the cache will subsequently

reply, with the consequent decrease in response time.

At present, most modern operating systems have a local library to translate the names that is

responsible for storing its own domain name cache with the requests made by system applications

(browser, e-mail clients, etc.).

Practical example A

Check the correct operation of the cache name server. What is the response time with regard to the

same request www.example.com?

1. Action: Access eBox, enter Module status and enable the DNS module by marking the check-

box in the Status column.

Effect: eBox requests permission to overwrite certain files.

2. Action: Read the changes of each of the files to be modified and grant eBox permission to

overwrite them.


3. Action: Go to Network DNS and add a new Domain name server with value 127.0.0.1.

Effect: eBox is established to translate names to IP and vice versa.



it is indicated as such.

eBox now manages the DNS server configuration.

5. Action: Use the Domain name resolution tool available in Network Diagnosis to check

the operation of the cache, querying the domain www.example.com consecutively and

checking the response time.

3 A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or

compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).

31
http://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cache

7/28/2019 EBOX 1.2

38/207


2.2.2 DNS server configuration with eBox

DNS has a tree structure and the source is known as . or root. Under . are the TLDs (Top Level

Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the an-

swer, the tree is recursively searched until it is found. Each . in an address (e.g. home.example.com)

indicates a different branch of the DNS tree and a different query area. The name will be traversed

from right to left.

Figure 2.3: DNS tree

Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP

address to a domain name. Furthermore, as many aliases (or canonical names) as required can be

added to each associated name and the same IP address can have several associated names.

Another important characteristic of the DNS is the MX record. This record indicates the place

where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mailis to be sent to [email protected], the e-mail server will ask for the MX record of

home.example.comand the service will reply that it is mail.home.example.com.

The configuration in eBox is done through the DNS menu. In eBox, as many DNS domains as

required can be configured.

To configure a new domain, drop down the form by clicking on Add new. From here, the domain

name and an optional IP address to which the domain will refer can be configured.

32
mailto:[email protected]:[email protected]:[email protected]

7/28/2019 EBOX 1.2

39/207


Once a correct domain has been created, e.g. home.example.com, it is possible to complete thehostnames list for the domain. As many IP addresses as required can be added using the names

decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can

also be used for each mapping.

As an additional feature, e-mail server names can be added through mail exchangers by selecting

a name for the domains in which eBox is the authority 4 or an external one. Furthermore, a preference

can be given, the lowest value of which gives highest priority, i.e. an e-mail client will first try the server

with the lowest preference number.

For a more in-depth look into the operation of the DNS, let us see what happens depending on the

query made through the dig diagnosis tool located in Network Diagnosis.

If a query is made for one of the domains added, eBox will reply with the appropriate answer

immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as

4 A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.

33

7/28/2019 EBOX 1.2

40/207


soon as it gets an answer. It is important to be aware of the fact that the nameservers configured in

Network DNS are used by client applications to resolve names, but are not used in any way by the

DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1

as primary DNS server in the aforementioned section.

Practical example B

Add a new domain to the DNS service. Within this domain, assign a network address to a hostname.

From another host, check that it resolves correctly using the dig tool.

1. Action: Check that the DNS service is active through Dashboard in the Module status widget.

If it is not active, enable it in Module status.

2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down

where hostnames, mail servers for the domain and the domain address itself can be

added. In Hostnames do the same by adding the hostname and its associated IP ad-

dress.


Effect: eBox will request permission to write the new files.

4. Action: Accept the overwriting of these files and save the changes.

Effect: The progress is displayed while the changes are being applied. Once this is complete


5. Action: From another PC connected to this network, request the name resolution using dig,

where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the

domain to be resolved:

$ dig mirror.ebox-platform.com @10.1.2.254

; DiG 9.5.1-P1 mirror.ebox-platform.com @10.1.2.254

;; global options: printcmd;; Got answer:

;; ->>HEADER

7/28/2019 EBOX 1.2

41/207

7/28/2019 EBOX 1.2

42/207


Figure 2.4: Request schema with GET headers between a client and the 200 OK response from the

server. Routers and proxies in between.

36

7/28/2019 EBOX 1.2

43/207

7/28/2019 EBOX 1.2

44/207


The server response has the same structure as the client request, changing the first row. In this

case, the first row is , which corresponds to the response code and a text

with the explanation, respectively.

The most common response codes 7 are:

200 OK: The request has been processed correctly.

403 Forbidden: When the client has been authenticated, but does not have permission to operate on

the resource requested.

404 Not Found: When the resource requested has not been found.

500 Internal Server Error: When an error has occurred in the server that has prevented the request

from being correctly run.

HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is

unable to remember the clients between connections. This can be avoided by using cookies. Moreover,

the server cannot start a conversation with the client. Should the client want to be notified by the server

of something, this must be periodically requested.

The HTTP service can offer dynamic data produced by different software applications. The client

requests a certain URL with specific parameters and the software manages the request to return

a result. The first method used was known as CGI (Common Gateway Interface), which runs one

command per URL. This mechanism has mainly been deprecated due to its memory overload and low

performance when compared to other solutions:

FastCGI: A communication protocol between software applications and the HTTP server, with a single

process to resolve requests made by the HTTP server.

SCGI (Simple Common Gateway Interface): This is a simplified version of the FastCGIprotocol.

Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run

within the server, this solution depends on the HTTP server used.

2.3.2 The Apache Web server

The Apache HTTP server 8 has been the most popular program for serving websites since April 1996.

eBox uses this server for both its web interface and the web server module. Its aim is to offer a secure,

7 The full list of response codes for the HTTP server can be found in section 10 of RFC 2616.8 Apache HTTP Server project http://httpd.apache.org.

38
http://tools.ietf.org/html/rfc2616.htmlhttp://tools.ietf.org/html/rfc2616.htmlhttp://httpd.apache.org/http://httpd.apache.org/http://httpd.apache.org/http://tools.ietf.org/html/rfc2616.html

7/28/2019 EBOX 1.2

45/207


efficient and extendible system in line with HTTP standards. Its capacity to be extensible is based on

adding features using modules that extend the core.

Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for web-

sites to be created using programming languages such as Perl, Python, TCL or PHP. It has several

authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows

the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful

URL rewriting system with mod_rewrite. It has a total of 57 officially documented modules that add

functionality, although this number increases to 168 if you include those registered for the 2.2 version

of Apache 9.

2.3.3 Virtual domains

The purpose of a virtual domain is to host websites for several domain names in the same server.

If the server has a public IP address for each website, a configuration can be made for every

network interface. When seen from outside, they look like several hosts in the same network. The

server will redirect the traffic from each interface to its corresponding website.

However, it is more common to have one or two IPs per host. In this case, each website will

have to be associated with its domain. The web server will read the headers sent in the client request

and, depending on the domain of the request, will redirect it to one website or another. Each of these

configurations is known as Virtual Host, as there is only one host in the network, but the existence of

several is simulated.

2.3.4 HTTP server configuration with eBox

Through Web, it is possible to access the web service configuration.

In the first form, it is possible to modify the following parameters:

Listening port Where the daemon is to listen to HTTP requests.

Enable public_html per user Through this option, if the Samba module (eBox as file server) is en-

abled, users can create a subdirectory known as public_html in their private directory within

samba that will be displayed by the web server via the URL http:///~/,

where username is the name of the user that published contents.

9 There is a full list at http://modules.apache.org.

39
http://modules.apache.org/http://modules.apache.org/http://modules.apache.org/

7/28/2019 EBOX 1.2

46/207


Figure 2.5: Appearance of the Web module configuration

With regard to the Virtual domains, the only configuration needed is the name for the domain and

whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module

(if it is installed) so that, if the domain www.company.com is added, the domain company.com will be

created with the host name www, the IP address of which will be the address of the first static network

interface.

To publish data, it must be under /var/www/, where vHostName is the name of the

virtual domain. If any customized configuration is to be added, for example capacity to load applications

in Python using mod_python, the necessary configuration files for this virtual domain must be created

in the directory /etc/apache2/sites-available/user-ebox-/.

Practical example

Enable the web server. Check that it is listening on port 80. Configure it to listen on a different port

and verify that the change becomes effective.

1. Action: Access eBox, enter Module status and enable the Web server module by marking the

checkbox in the Status column. This indicates the changes to be made in the system. Allowthe operation by clicking on the Accept button.

Effect: The guilabel:Save changes button has been enabled.




40

7/28/2019 EBOX 1.2

47/207


The web server is enabled by default on port 80.

3. Action: Using a browser, access the following address: http://eBox_ip/.

Effect: An Apache default page will be displayed with the message It works!.

4. Action: Access the Webmenu. Change the port value from 80 to 1234 and click on the Change

button.

Effect: The guilabel:Save changes button has been enabled.




Now the web server is listening on port 1234.

6. Action: Use the browser again to try to access http:///.

Effect: A response is not obtained and, after a while, the browser will indicate that it was

impossible to connect to the server.

7. Action: Now try to access http://:1234/.

Effect: The server responds and the It works! page is obtained.

2.3.5 Exercises

Exercise A

Create a Virtual domain called www.ebox-course.comwith a test page. Use a browser to check that

you can access it correctly, making sure that eBox is your DNS server and can resolve this domain.

41

7/28/2019 EBOX 1.2

48/207


2.4 Time synchronization service (NTP)

The NTP (Network Time Protocol) protocol was designed to synchronize the clocks in PCs in an

unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to

withstand the effects of jitter.

It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can

reach a precision of up to 200 s or greater if the clock is in the local network. There are up to 16 levels

defining the distance of the reference clock and its associated precision. Level 0 is for atomic clocks

that are not connected to the network but to another level 1 computer with RS-232 serial connection.

Level 2 are the computers connected via NTP to those of a higher level and are normally offered by

default in the most common operating systems, such as GNU/Linux, Windows or MacOS.

2.4.1 NTP server configuration with eBox

To configure eBox to use the NTP architecture 10, eBox must first be synchronized with an external

server of a higher level (normally 2) offered via System Date/Time. A list of these can be found

in the NTP pool (pool.ntp.org), which is a dynamic collection of NTP servers that voluntarily give their

clients a relatively precise time over the Internet.

Once eBox has been synchronized as an NTP client 11, eBox can also act as an NTP server with

a globally synchronized time.

10 NTP public service project http://support.ntp.org/bin/view/Main/WebHome.11 eBox uses ntpdate as its NTP client. http://www.ece.udel.edu/~mills/ntp/html/ntpdate.html.

42
http://support.ntp.org/bin/view/Main/WebHomehttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://support.ntp.org/bin/view/Main/WebHome

7/28/2019 EBOX 1.2

49/207


Practical example

Enable the NTP service and synchronize the time of your host using the command ntpdate. Check

that both eBox and the client host are set to the same time.

1. Action: Access eBox, enter Module status and enable the ntp module by marking the check-

box in the Status column. This will show the changes to be made to the system. Allow the

operations by clicking on the Accept button.


2. Action: Access the System

Date/Time menu. In the Synchronization with NTP serverssection, select Enabled and click on Change.

Effect: The option to manually change the date and time is replaced by fields to enter the NTP

servers with which to synchronize.


Effect: eBox displays the progress while the changes are being applied. Once this is com-

pleted, it notifies the user.

Your eBox host will act as an NTP server.

4. Action: Install the ntpdate package in your client host. Run the command ntpdate .

Effect: The time on the host will have been synchronized with that of the eBox host.

You can check this by running the date command on both hosts.

43

7/28/2019 EBOX 1.2

50/207


44

7/28/2019 EBOX 1.2

51/207

Chapter 3

eBox Gateway

This section considers the main function of eBox as a gateway. eBox Gateway can make your network

more reliable, optimized for your bandwidth and help you control whatever enters your network.

This section includes a chapter that focuses on the functionality of the eBox firewall module, which

enables you to manage rules for the incoming and outgoing traffic of your internal network.

The firewall is not configured directly, but is supported by another two modules that provide easier

network object and service management, as described in the first part of the section.

Load balancing can be applied for Internet access, along with different rules depending on the

outgoing traffic. Furthermore, this section explains traffic shaping, which is used to ensure critical

applications are served correctly and to even limit any applications generating a lot of network traffic.

Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or

denies access from the internal network to the WWW using different filtering rules, including content-

based ones.

3.1 High-level eBox network abstractions

3.1.1 Network objects

Network objects are a way of giving a name to a network element or a group of elements. They are

used to simplify and subsequently facilitate network configuration management by being able to select

behavior for these objects.

45

7/28/2019 EBOX 1.2

52/207


To give an example, they can be used to give a significant name to an IP address or a group of IP

addresses. In the case of the latter, instead of defining access rules for each of the addresses, they

merely have to be defined for the network object so that all the addresses belonging to the object take

on this configuration.

Figure 3.1: GRAPHIC: representation of network objects

Management of network objects with eBox

For object management in eBox, go to the submenu Objectsand create new objects with an associated

name and a series of members.

Objects can be created, modified and deleted. These objects will be used later by other modules,

such as the firewall, the Web cache proxy or the mail service.

Each one will have at least the following values: name, IP address and network mask using CIDR

notation. The physical address will only make sense for members with a single physical machine.

46

7/28/2019 EBOX 1.2

53/207

CHAPTER 3. EBOX GATEWAY

Figure 3.2: General appearance of the network object module

The members of an object can overlap the members of another; therefore, great care must be

taken when using them in the remaining modules to obtain the desired configuration and avoid security

problems.

3.1.2 Network services

A network service is the abstraction of one or more applicable protocols that can be used in other

modules, such as the firewall or the traffic-shaping module.

The use of the services is similar to that of the objects. It was seen that with the objects it was

possible to make an easy reference to a group of IP addresses using a significant name. It is also

possible to identify a group of numerical ports that are difficult to remember and time-consuming to

enter several times in different configurations, with a name in line with its function (more typically, the

name of the level-7 protocol or application using these ports).

47

7/28/2019 EBOX 1.2

54/207


Figure 3.3: GRAPHIC: client connection to a server

Management of network services with eBox

For management in eBox, go to the submenu Services, where it is possible to create new services,

which will have an associated name, description and a flag indicating whether the service is external

or internal. A service is internal if the ports configured for that service are being used in the machine

in which eBox is installed. Furthermore, each service has a series of members. Each one will have

the following values: protocol, source port and destination port.

The value any can be entered in all of these fields, e.g. to specify services in which the source

port is indifferent.

Bear in mind that in network services based on the most commonly-used client/server model,

clients often use any random port to connect to a known destination port. Well-known ports are con-

sidered those located between 0 and 1023, registered ports the ones located between 1024 and 49151

and private or dynamic ports are those located between 49152 and 65535.

A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found

in the /etc/services file.

The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having

to add the same port used for both protocols twice.

1 The IANA (Internet Assigned Numbers Authority) is responsible for establishing the services associated with well-

known ports. The full list can be found at http://www.iana.org/assignments/port-numbers.

48
http://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/port-numbers

7/28/2019 EBOX 1.2

55/207


Figure 3.4: General appearance of the network service module

Services can be created, modified and deleted. These services will be used later on in the firewall

or traffic shaping by merely referring to the significant name.

Practical example

Create an object and add the following: a host with no MAC address, a host with a MAC address

and a network address.

To do so:

1. Action: Access Objects. Add accountancy hosts.

Effect: The accountancy hosts object has been created.

2. Action: Access Members of the accountancy hosts object. Create accountancy server

member with a network IP address, e.g. 192.168.0.12/32. Create another member backup

accountancy server with another IP address, e.g. 192.168.0.13/32, and a valid MAC address,

e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP ad-

dress of a subnet of your local network, e.g. 192.168.0.64/26. Finally, go to Save changes to

confirm the configuration created.

Effect: The accountancy hosts object will contain three permanent members, i.e. accoun-

tancy server, backup accountancy server and accountancy PC network.

49

7/28/2019 EBOX 1.2

56/207


Exercises

Exercise A

Create a service called IRC with the following characteristics:

Protocol: TCP

External

Single destination port: 6667

Exercise B

Change the configuration of the previous service to become internal and then try to change the

port where eBox is listening in System General to 6667. Did you have any problems? Why?

3.2 Firewall

We will configure a firewall to see the application of the network objects and services. A firewall is

a system that strengthens the access control policies between networks. In our case, a host will be

devoted to protecting our internal network and eBox from attacks from the external network.

A firewall allows the user to define a series of access policies, such as which hosts can be con-

nected to or which can receive data and the type thereof. In order to do this, it uses rules that can

filter traffic depending on different parameters, such as the protocol, source or destination addresses

or ports used.

Technically speaking, the best solution is to have a computer with two or more network cards

that isolate the different connected networks (or segments thereof) so that the firewall software is

responsible for connecting the network packages and determining which can be passed or not and towhich network they will be sent. By configuring the host as a firewall and router, traffic packages can

be exchanged between networks in a more secure manner.

50

7/28/2019 EBOX 1.2

57/207


3.2.1 The firewall in GNU/Linux: Netfilter

Starting with the Linux 2.4 kernel, a filtering subsystem known as Netfilter is provided to offer packet

filtering and Network Address Translation (NAT) 2. The iptables command interface allows for the

different configuration tasks to be performed for the rules affecting the filtering system (filter table),

rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and

handling options (mangle table). It is extremely flexible and orthogonal to handle, although it adds a

great deal of complexity and has a steep learning curve.

3.2.2 eBox security model

The eBox security model is based on seeking to provide the utmost default security, in turn trying to

minimize the work of the administrator regarding configuration when new services are added.

When eBox acts as a firewall, it is normally installed between the local network and the router that

connects that network to another, normally Internet. The network interfaces connecting the host to the

external network (the router) must be marked as such. This enables the Firewall module to establish

default filtering policies.

Figure 3.5: Internal network - Filtering rules - External network

The policy for external interfaces is to deny all attempts of new connections to eBox. Internal

interfaces are denied all connection attempts, except those made to internal services defined in the

Services module, which are accepted by default.

Furthermore, eBox configures the firewall automatically to provide NAT for packages entering

through an internal interface and exiting through an external interface. Where this function is not

2 NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it

passes through a router or firewall. Its main use is to provide several hosts in a private network with Internet access

through a single public IP.

51

7/28/2019 EBOX 1.2

58/207


required, it may be disabled using the nat_enabled variable in the firewall module configuration file in

/etc/ebox/80firewall.conf.

3.2.3 Firewall configuration with eBox

For easier handling of iptables in filtering tasks, the eBox interface in Firewall Package filtering is

used.

Where eBox acts as a gateway, filtering rules can be established to determine whether the traffic

from a local or remote service must be accepted or not. There are five types of network traffic that canbe controlled with the filtering rules:

Traffic from an internal network to eBox (e.g. allow SSH access from certain hosts).

Traffic among internal networks and from internal networks to the Internet (e.g. forbid Internet

access from a certain internal network).

Traffic from eBox to external networks (e.g. allow files to be downloaded by FTP from the host

using eBox).

Traffic from external networks to eBox (e.g. enable the Jabber server to be used from the

Internet).

Traffic from external networks to internal networks (e.g. allow access to an internal Webserver

from the Internet).

Bear in mind that the last two types of rules may jeopardize eBox and network security and,

therefore, must be used with the utmost care. The filtering types can be seen in the following graphic:

eBox provides a simple way to control access to its services and to external services from an

internal interface (where the intranet is located) and the Internet. It is normally object-configured.

Hence, it is possible to determine how a network object can access each of the eBox services. For

example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet

access rules are managed by eBox too, e.g. to configure Internet access, outgoing packages to TCP

ports 80 and 443 to any address have to be allowed.

Each rule has a source and destination that depend on the type of filtering used. For example,

the filtering rules for eBox output only require the establishing of the destination, as the source is

always eBox. A specific service or its reverse can be used to deny all output traffic, for example,

except SSH traffic. In addition, it can be given a description for easier rule management. Finally,

each rule has a decision that can have the following values:

Accept the connection.

52

7/28/2019 EBOX 1.2

59/207


Figure 3.6: GRAPHIC: types of filtering rules

Figure 3.7: List of package filtering rules from internal networks to eBox

53

7/28/2019 EBOX 1.2

60/207


Deny connection by ignoring the incoming packages and making the source suppose that con-

nection could not be established.

Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is

possible to see whether a rule is working properly.

Port redirection

Port redirections (destination NAT) are configured through Firewall Redirection, where an external

port can be given and all traffic routed to a host listening on a certain port can be redirected by

translating the destination address.

To configure a redirection, the following fields need to be specified: interface where the translation

is to be made, the original target (this could be eBox, an IP address or an object), the original

destination port (this could be any, a range of ports or a single port), the protocol, the source from

where the connection is to be started (in a normal configuration, its value will be any), the target IP

address and, finally, the destination port, where the target host is to receive the requests, which may

or may not be the same as the original.

According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will

be redirected to port 80/TCP of the host with IP address 10.10.10.10.

54

7/28/2019 EBOX 1.2

61/207


Practical example

Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a

service and a firewall rule so that an internal host can access the service.

To do so:

1. Action: Access eBox, enter Module status and enable the Firewall module by marking the

checkbox in the Status column.

Effect: eBox requests permission to take certain actions.

2. Action: Read the actions to be taken and grant permission to eBox to do so.


3. Action: Create an internal service as in Exercise A of section High-level eBox network abstrac-

tions through Services with the name netcat and with the destination port 6970. Then go to

Firewall Package filtering in Filtering rules from internal networks to eBox and add the

rule with at least the following fields:

Decision : ACCEPT

Source : Any

Service : netcat. Created in this action.

Once this is done, Save changes to confirm the configuration.

Effect: The new netcat service has been created with a rule for internal networks to connect

to it.

4. Action: From the eBox console, launch the following command:

nc -l -p 6970

5. Action: From the client host, check that there is access to this service using the command nc:

nc 6970

Effect: You can send data that will be displayed in the terminal where you launched netcat in

eBox.

55

7/28/2019 EBOX 1.2

62/207


3.2.4 Exercises

Exercise A

Add a rule to enable a host in the internal network to browse. Check whether this is possible.

Exercise B

Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a

service and a firewall rule so that an external host can access the service.

Exercise C

Add a redirection so that an external host can connect via ssh to an internal host accessible through

eBox.

Exercise D

Using the iptables command, find the filtering and NAT rule that eBox has added in the previousexercises.

3.2.5 Suggested exercises

Exercise E

The firewall is the most common source of problems when testing network services. Therefore, it is

useful to know how to allow all traffic in any direction. How would you do it?

56

7/28/2019 EBOX 1.2

63/207


3.3 Routing

3.3.1 Routing tables

The term routing refers to the action of deciding through which interface a certain packet must be sent

from a host. The operating system has a routing table with a set of rules to make this decision.

Each of these rules has different fields, although the three most important ones are: destinatino

address, interface and router. These must be read as follows: to reach a certain destination ad-

dress, the packet must be directed through a router, which is accessible through a certain interface.

When the message arrives, its destination address is compared to the entries in the table and is

sent through the interface indicated in the rule that matches. The best match is considered the most

specific rule. For example, if a rule is specified indicating that to reach network A (10.15.0.0/16), router

A must be used and another rule indicates that to reach network B (10.15.23.0/24), which is a subnet

of A, router B must be used. If a packet arrives with destination 10.15.23.23/32, then the operating

system will decide to send it to router B, as there is a more specific rule.

All hosts have at least one routing rule for the loopback interface, or local interface, and additional

rules for other interfaces that connect it to other internal networks or to Internet.

To manually configure a static route table, Network Routes is used (basically it is an interface

for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.

Figure 3.8: Route configuration

57

7/28/2019 EBOX 1.2

64/207


Gateway

When sending a packet, if no route matches and there is a gateway configured, it will be sent through

the gateway.

The gateway is the route by default for packets sent to other networks.

To configure a gateway, use Network Routers.

Name: Name identifying the gateway.

IP address: IP address of the gateway. This address must be accessible from the host containing

eBox.

Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent

through this interface.

Upload/Download: Upload and download rates supported by the gateway. These values are used by

the traffic shaping module.

Weight: The heavier the weight, the more traffic will be directed to this gateway when load balancing

is enabled.

Default: Indicates if this gateway should be used as the default one.

58

7/28/2019 EBOX 1.2

65/207


Subnets and subnet routing

As indicated above, initially there were classes of networks with associated fixed network masks, which

were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain

Routing) was created to allow for network masks of a variable size to be used, allowing, for example,

for a class C network to be divided into several subnets of a smaller size or to aggregate several class

C subnets into one of a larger size. This allows:

A more effective use of the scarce IPv4 address space.

Better use of the hierarchy in address assignment (adding of prefixes), decreasing routing over-

load throughout the Internet.

The number of bits interpreted as the subnet identifier is given by a netmask that is of the same

length as the IP address. To find the network of an IP address with its mask, proceed as follows:

Address with full stops Binary

IP address 192.168.5.10 11000000.10101000.00000101.00001010

Netmask 255.255.255.0 11111111.11111111.11111111.00000000

Network portion 192.168.5.0 11000000.10101000.00000101.00000000

CIDR also introduced a new nomenclature that can be seen compared to the above in the following

table:

CIDR Class N Hosts Mask

/32 1/256 C 1 255.255.255.255

/31 1/128 C 2 255.255.255.254

/25 1/2 C 128 255.255.255.128

/24 1 C 256 255.255.255.0

/21 8 C 2048 255.255.248.0

Practical example A

You will now configure the network interface statically. The class will be divided into two subnets.

To do so:

1. Action: Access the eBox interface, enter Network Interfaces and, for the network inter-

face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the

instructor. As the Netmask, use 255.255.255.255.0. Click on the Change button.

59

7/28/2019 EBOX 1.2

66/207


The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and

Y to the host. These values will be used from now on.

Enter Network DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add.

Effect: The Save changes button has been enabled and the network interface keeps the data

entered. A list is displayed containing the name servers, including the recently created

server.


Effect: eBox displays the progress while the changes are being applied.

3. Action: Access Network Diagnosis. Ping ebox-platform.com.

Effect: The following is given as the result:

connect: network is unreachable

4. Action: Access Network Diagnosis. Ping to an eBox of a classmate part of the same

subnet.

Effect: Three satisfactory connection attempts to the host are displayed as the result.

5. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet.



Practical example B

You will now configure a route to access hosts in other subnets.

To do so:

1. Action: Access the eBox interface, enter Network Routes and select Add new. Complete

the form with the following values:

Network 10.1.X.0 / 24

Gateway 10.1.1.1

Description route to the other subnet

60

7/28/2019 EBOX 1.2

67/207


Click on the Add button.

Effect: The Save changes button has been enabled. A list is displayed containing the routes,

including the recently created one.


Effect: eBox displays the progress while the changes are being applied.

3. Action: Access Network Diagnosis. Ping ebox-platform.com.



4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet.

Effect: Three satisfactory connection attempts to the host are displayed as the result.

Practical example C

You will now configure a gateway to connect to the remaining networks.

To do so:

1. Action: Access the eBox interface, enter Network Routes and delete the route created

during the previous exercise.

Enter Network Routers and select Add new. Complete with the following data:

Name Default Gateway

IP address 10.1.X.1

Interface eth0

Upload 0

Download 0

Weight 1

Default yes

Click on the Add button.

61

7/28/2019 EBOX 1.2

68/207


Documents

EBOX 1.2