Upload
hack3rg33k
View
219
Download
0
Embed Size (px)
Citation preview
7/28/2019 EBOX 1.2
1/207
eBox 1.2 for Network Administrators
REVISION1. 2
EBOX PLATFORM - TRAINING
http://www.ebox-technologies.com/
STUDENT GUIDE
7/28/2019 EBOX 1.2
2/207
eBox 1.2 for Network Administrators
This document is distributed under Creative Commons Attribution-Share Alike license version 2.5
( http://creativecommons.org/licenses/by-sa/2.5/ )
This document uses images from Tango Desktop Project also distributed under Creative Com-
mons Attribution-Share Alike license version 2.5.
http://tango.freedesktop.org/
7/28/2019 EBOX 1.2
3/207
Contents
1 eBox Platform: unified server for SMEs 1
1.1 Presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 eBox Platform installer . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.3 Administration web interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.4 How does eBox Platform work? . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
1.5 Location within the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.1 Local network configuration . . . . . . . . . . . . . . . . . . . . . . . . . 16
1.5.2 Network configuration with eBox Platform . . . . . . . . . . . . . . . . . . 17
1.5.3 Network diagnosis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2 eBox Infrastructure 25
2.1 Network configuration service (DHCP) . . . . . . . . . . . . . . . . . . . . . . . 25
2.1.1 DHCP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 26
2.2 Name resolution service (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.1 DNS cache server configuration with eBox . . . . . . . . . . . . . . . . . 31
2.2.2 DNS server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 32
2.3 Web data publication service (HTTP) . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3.1 Hyper Text Transfer Protocol . . . . . . . . . . . . . . . . . . . . . . . . 35
2.3.2 The Apache Web server . . . . . . . . . . . . . . . . . . . . . . . . . . 38
2.3.3 Virtual domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.3.4 HTTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . 39
2.3.5 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.4 Time synchronization service (NTP) . . . . . . . . . . . . . . . . . . . . . . . . 42
2.4.1 NTP server configuration with eBox . . . . . . . . . . . . . . . . . . . . . 42
3 eBox Gateway 45
3.1 High-level eBox network abstractions . . . . . . . . . . . . . . . . . . . . . . . . 45
3.1.1 Network objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
i
7/28/2019 EBOX 1.2
4/207
3.1.2 Network services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473.2 Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.2.1 The firewall in GNU/Linux: Netfilter . . . . . . . . . . . . . . . . . . . . . 51
3.2.2 eBox security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.3 Firewall configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . 52
3.2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.2.5 Suggested exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.1 Routing tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.2 Multirouter rules and load balancing . . . . . . . . . . . . . . . . . . . . . 62
3.4 Traffic shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.4.1 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.4.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
3.5 HTTP Proxy Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
3.5.1 Access policy configuration . . . . . . . . . . . . . . . . . . . . . . . . . 69
3.5.2 Client connection to the proxy and transparent mode . . . . . . . . . . . . 71
3.5.3 Cache parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.5.4 Web content filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4 eBox Office 79
4.1 Directory service (LDAP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.1.1 Users and groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
4.2 File sharing service and remote authentication . . . . . . . . . . . . . . . . . . . 85
4.2.1 File sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.2 SMB/CIFS and its Linux Samba implementation . . . . . . . . . . . . . . . 86
4.2.3 Primary Domain Controller (PDC) . . . . . . . . . . . . . . . . . . . . . . 86
4.2.4 eBox as file server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
4.2.5 SMB/CIFS clients configuration . . . . . . . . . . . . . . . . . . . . . . . 89
4.2.6 eBox as authentication server . . . . . . . . . . . . . . . . . . . . . . . . 92
4.2.7 PDC Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.3 Printers sharing service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.3.1 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
4.4 Groupware Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984.4.1 Groupware service settings with eBox . . . . . . . . . . . . . . . . . . . . 99
4.4.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5 eBox Unified Communications 105
5.1 Electronic Mail Service (SMTP/POP3-IMAP4) . . . . . . . . . . . . . . . . . . . . 105
5.1.1 How electronic mail works through the Internet . . . . . . . . . . . . . . . 106
ii
7/28/2019 EBOX 1.2
5/207
5.1.2 SMTP/POP3-IMAP4 server configuration with eBox . . . . . . . . . . . . . 1075.2 Instant Messaging (IM) Service (Jabber/XMPP) . . . . . . . . . . . . . . . . . . . 114
5.2.1 Configuring a Jabber/XMPP server with Ebox . . . . . . . . . . . . . . . . 114
5.2.2 Setting up a Jabber client . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.2.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.3 Voice over IP service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.3.1 Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
5.3.2 Codecs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.3.3 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.3.4 Asterisk server configuration with eBox . . . . . . . . . . . . . . . . . . . 124
5.3.5 Configuring a softphone to work with eBox . . . . . . . . . . . . . . . . . 127
5.3.6 Ekiga (Gnome) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
5.3.7 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6 eBox Unified Threat Manager 133
6.1 Mail Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
6.1.1 Mail filter schema in eBox . . . . . . . . . . . . . . . . . . . . . . . . . . 134
6.1.2 External connection control lists . . . . . . . . . . . . . . . . . . . . . . 141
6.1.3 Transparent proxy for POP3 mailboxes . . . . . . . . . . . . . . . . . . . 142
6.1.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.1.5 Proposed exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.2 HTTP Proxy advanced configuration . . . . . . . . . . . . . . . . . . . . . . . . 145
6.2.1 Group based filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
6.2.2 Group-based filtering for objects . . . . . . . . . . . . . . . . . . . . . . 146
6.2.3 Filter profiles configuration . . . . . . . . . . . . . . . . . . . . . . . . . 146
6.2.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
6.3 Secure interconnection between local networks . . . . . . . . . . . . . . . . . . . 149
6.3.1 Virtual Private Network (VPN) . . . . . . . . . . . . . . . . . . . . . . . 149
6.3.2 Public Key Infrastructure (PKI) with a Certification Authority (CA) . . . . . . . 149
6.3.3 CA configuration with eBox Platform . . . . . . . . . . . . . . . . . . . . 151
6.3.4 Configuring a VPN with eBox . . . . . . . . . . . . . . . . . . . . . . . . 153
6.4 Intrusion Detection System (IDS) . . . . . . . . . . . . . . . . . . . . . . . . . . 163
6.4.1 Setting up an IDS with eBox . . . . . . . . . . . . . . . . . . . . . . . . 1646.4.2 IDS Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
6.4.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
7 eBox Core 167
7.1 Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
7.1.1 Logs configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
iii
7/28/2019 EBOX 1.2
6/207
7.2 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1737.2.1 Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
7.2.2 Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
7.2.3 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.3 Events and alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.3.1 Practical Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.3.2 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.4 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.4.1 The backup system design . . . . . . . . . . . . . . . . . . . . . . . . . 183
7.4.2 Backup configuration with eBox . . . . . . . . . . . . . . . . . . . . . . . 184
7.4.3 How to recover on a disaster . . . . . . . . . . . . . . . . . . . . . . . . 189
7.4.4 Configuration backups . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
7.4.5 Command line tools for configuration backups . . . . . . . . . . . . . . . . 195
7.5 Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
7.5.1 Management of eBox components . . . . . . . . . . . . . . . . . . . . . 196
7.5.2 System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
7.5.3 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
7.5.4 Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Index 201
iv
7/28/2019 EBOX 1.2
7/207
Chapter 1
eBox Platform: unified server for SMEs
1.1 Presentation
eBox Platform () is a unified network server that offers easy and efficient
computer network management for small and medium enterprises (SMEs). eBox Platform can act as
a Network Gateway, a Unified Threat Manager (UTM) 1, an Office Server, an Infrastructure Manager,
a Unified Communications Server or a combination of them. This manual is written for the 1.2 version
of eBox Platform.
All these functionalities are fully integrated and therefore automate most tasks, prevent manual
errors and save time for system administrators. This wide range of network services is managed
through an easy and intuitive web interface. As eBox Platform has a modular design, you can install in
each server only the necessary modules and easily extend the functionality according to your needs.
Besides, eBox Platform is released under a free software license (GPL) 2. The main features are:
Unified and efficient management of the services:
Task automation.
Service integration.
Easy and intuitive interface.
1 UTM (Unified Threat Management): Term that groups a series of functionalities related to computer network security:
firewall, intrusion detection, antivirus, etc.2 GPL (GNU General Public License): Software license that allows free redistribution, adaptation, use and creation of
derivative works with the same license.
1
http://ebox-platform.com/http://ebox-platform.com/7/28/2019 EBOX 1.2
8/207
eBox 1.2 for Network Administrators
Extendable and adaptable to specific needs.
Hardware independent.
Open source software.
The services currently offered are:
Network management:
Firewall and router
* Traffic filtering
*NAT and port redirection
* Virtual local networks (VLAN 802.1Q)
* Support for multiple gateways, load balancing and self-adaptation in case of loss of
connectivity
* Traffic shaping (with application-level filtering support)
* Traffic monitoring
* Dynamic DNS support
High-level network objects and services
Network infrastructure
* DHCP server
* DNS server
* NTP server
Virtual private networks (VPN)
* Dynamic auto-configuration of network paths
HTTP proxy
* Cache
* User authentication
* Content filtering (with categorized lists)
* Transparent antivirus
2
7/28/2019 EBOX 1.2
9/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Mail server
* Spam filtering and antivirus
* Transparent POP3 filter
* White-, black- and grey-listing
Web server
* Virtual domains
Intrusion Detection System (IDS)
Certification Authority
Groupware:
Shared directory using LDAP (Windows/Linux/Mac)
* Shared authentication (including Windows PDC)
Shared storage as NAS (Network-attached storage)
Shared printers
Groupwareserver: calendars, address books, ...
VoIP server
* Voicemail
* Meetings
* Calls through outside vendor
Instant messaging server (Jabber/XMPP)
* Meetings
User corner to allow users to modify their data
Reports and monitoring
Dashboard to centralize the information
Disk, memory, load, temperature and host CPU monitoring
Software RAID status and information regarding the hard drive use
3
7/28/2019 EBOX 1.2
10/207
eBox 1.2 for Network Administrators
Network service logs in databases, allowing you to have daily, weekly monthly and annual
reports
Event-based system monitoring
* Notification via Jabber, mail and RSS
Host management:
Configuration and data backup
Updates
Control Center to easily administer and monitor multiple eBox hosts from one central point3
1.2 Installation
In principle, eBox Platform is designed to be installed exclusively on one (real or virtual) machine. This
does prevent you from installing other unmanaged services, but these must be manually configured.
eBox Platform runs on GNU/Linux operating system with the Long Term Support (LTS) release of
Ubuntu Server Edition distribution 4. The installation can be done in two different ways:
Using the eBox Platform Installer (recommended).
Installing from an existing Ubuntu Server Edition installation.
In the second case, you need to add the official eBox Platform repositories and to install the
packages you are interested in.
Nevertheless, in the first case eBox Platform installation and deployment is easy as all the de-
pendencies are in a single CD and in addition, some pre-configuration is made during the installation
process.
4
7/28/2019 EBOX 1.2
11/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Figure 1.1: Installer home screen
Figure 1.2: Selection of the installation method
5
7/28/2019 EBOX 1.2
12/207
eBox 1.2 for Network Administrators
1.2.1 eBox Platform installer
The eBox Platform installer is based on the Ubuntu installer and therefore those who are already
familiar with it will find the installation process very similar.
After installing the base system and rebooting, you can start installing eBox Platform. There are
two methods for selecting the functionalities you want to include in your system.
Simple: Depending on the task the server will be dedicated to, you can install a set of packages that
provides several functionalities.
Advanced: You can select the packages individually. If a package has dependencies on other pack-ages, these will be automatically selected later.
If you select the simple installation method, you get a list of available profiles. As shown in the
figure Selection of the profiles, the mentioned list matches the following paragraphs of this manual.
Figure 1.3: Selection of the profiles
eBox Gateway: eBox is the local network gateway that provides secure and controlled Internet ac-
cess.
eBox Unified Threat Manager: eBox protects the local network against external attacks, intrusions,
internal security threats and enables secure interconnection between local networks via Internet
or via other external networks.
eBox Infrastructure: eBox manages the local network infrastructure including the following basic ser-
vices: DHCP, DNS, NTP, HTTP server, etc.
3 For additional information regarding the Control Center, please visit: http://www.ebox-
technologies.com/products/controlcenter/the company behind eBox Platform development.4 Ubuntu is a GNU/Linux distribution developed by Canonical and the community oriented to laptops, desktops and
servers .
6
http://www.ebox-technologies.com/products/controlcenter/http://www.ebox-technologies.com/products/controlcenter/http://www.ubuntu.com/http://www.ubuntu.com/http://www.ebox-technologies.com/products/controlcenter/http://www.ebox-technologies.com/products/controlcenter/7/28/2019 EBOX 1.2
13/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
eBox Office: eBox is an office server that allows sharing the following resources through the local
network: files, printers, calendars, contacts, authentication, users and groups profiles, etc.
eBox Unified Communications: eBox becomes the unified communications server of your organi-
zation, including mail, instant messaging and voice over IP.
You can select several profiles to combine different functionalities. In addition, the selection is not
final and later you can install and remove packages according to your needs.
However, if you select the advanced installation method, you get the complete list of eBox Platform
modules and you can select individually the modules you are interested in. Once you have completed
the selection, also the necessary additional packages will be installed.
Figure 1.4: Selection of the modules
After you have selected the components to install, the installation process will begin and you will
be shown a progress bar with the installation status.
Once the installation is completed, you are requested to enter a password to access the eBox
Platform web administration interface:
7
7/28/2019 EBOX 1.2
14/207
eBox 1.2 for Network Administrators
Figure 1.5: Installing eBox Platform
You need to confirm the inserted password:
8
7/28/2019 EBOX 1.2
15/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
The installer will try to pre-configure some important configuration parameters. First, it will ask
if some of the network interfaces are external (not within the local network), i.e., used to connect to
the Internet. Strict policies for all incoming traffic through external network interfaces will be applied.
Depending on the role the server plays, there might be no external interfaces at all.
Figure 1.6: Selection of the external interface
Second, if you installed the mail module, you will be requested to enter the default virtual domain
that will be the main virtual domain of the system.
Once you have answered these questions, each module you installed will be pre-configured and
ready to be used via the web interface.
After this process is completed, a message informs you about how to connect to the web interface
of eBox Platform.
9
7/28/2019 EBOX 1.2
16/207
eBox 1.2 for Network Administrators
Figure 1.7: Primary virtual mail domain
Figure 1.8: Configuration progress
Figure 1.9: Installation completed
10
7/28/2019 EBOX 1.2
17/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Once the eBox Platform installation process is completed you get a system console to authenticate
with the user created during the Ubuntu installation. eBox Platform password is exclusive to the web
interface and it has nothing to do with the administrator user password of the host. When you log in to
the console, you will get the following eBox Platform specific message:
1.3 Administration web interface
Once you have installed eBox Platform, you can access the administration web interface at the follow-
ing URL:
https://network_address/ebox/
Here network_address is the IP address or a host name that resolves to the address where eBox
is running.
The first screen will ask for the administrator password:
After authentication you get the administration interface that is divided into three main sections:
Left side menu: Contains links to all services, separated by categories, that can be configured using
eBox. When you select a service, you might get a submenu to configure specific details of the
selected service.
11
https://network_address/ebox/https://network_address/ebox/7/28/2019 EBOX 1.2
18/207
eBox 1.2 for Network Administrators
Figure 1.10: Main screen
Figure 1.11: Left side menu
12
7/28/2019 EBOX 1.2
19/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Top menu: Contains actions to save the changes made to the content, make the changes effective
and close the session.
Figure 1.12: Top menu
Main content: The main content is composed of one or several forms or tables with information about
the service configuration and depends on the selection made in the left side menu and sub-menus. Sometimes you will get a tab bar at the top of the page: each tab represents a different
subsection within the section you have accessed.
Figure 1.13: Configuration form
Dashboard: The dashboard is the initial screen of the web interface. It contains a number of config-
urable widgets. You can reorganize them at any moment simply by clicking and dragging the
titles.
By clicking on Configure Widgets the interface changes, allowing you to remove and add new
widgets. To add a new widget, you search for it in the top menu and drag it to the main part of
the page.
An important detail to take into account is the method eBox uses to apply the configuration
changes made through the interface. First of all, you have to accept changes in the current form,
but, once this is done, to make these changes effective and apply them on a permanent basis, you
13
7/28/2019 EBOX 1.2
20/207
eBox 1.2 for Network Administrators
Figure 1.14: Dashboard
Figure 1.15: Dashboard configuration
14
7/28/2019 EBOX 1.2
21/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
must click on Save Changes from the top menu. This button will change to red if there are unsaved
changes. Failure to follow this procedure will result in the loss of all changes you have made through-
out the session once you log out. There are some special cases when you dont need to save the
changes, but in these cases you will receive a notification.
Figure 1.16: Save changes
1.4 How does eBox Platform work?
eBox Platform is not just a simple web interface to manage the most common network services 5. One
of the main goals of eBox Platform is to unify a set of network services that otherwise would work
independently.
All configuration of individual services is handled automatically by eBox. To do this eBox uses a
template system. This automation prevents manual errors and saves administrators from having to
know the details of each configuration file format. As eBox manages automatically these configuration
5 You get longer support than on the normal version. With the LTS version you get 5 years of support on the server.
15
7/28/2019 EBOX 1.2
22/207
eBox 1.2 for Network Administrators
files, you must not edit the original files as these will be overwritten as soon you save any configuration
changes.
Reports of events and possible errors of eBox are stored in the directory /var/log/ebox/ and are
divided in the following files:
/var/log/ebox/ebox.log: Errors related to eBox Platform.
/var/log/ebox/error.log: Errors related to the web server.
/var/log/ebox/access.log: Every access to the web server.
If you want more information about an error that has occurred, you can enable the debuggingmode by selecting the debug option in the /etc/ebox/99ebox.conf file. Once you have enabled this
option, you should restart the web server of the interface by using sudo /etc/init.d/ebox apache restart.
1.5 Location within the network
1.5.1 Local network configuration
eBox Platform can be used in two different ways:
Router and filter of the Internet connection.
Server of different network services.
Both functionalities can be combined in a single host or divided among several hosts.
The figure Different locations within the network displays the different locations eBox Platform
server can take in the network, either as a link between networks or a server within the network.
Figure 1.17: Different locations within the network
16
7/28/2019 EBOX 1.2
23/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Throughout this documentation you will find out how to configure eBox Platform as a router and
gateway. You will also learn how to configure eBox Platform in the case it acts as just another server
within the network.
1.5.2 Network configuration with eBox Platform
If you place a server within a network, you will most likely be assigned an IP address via DHCP pro-
tocol. Through Network Interfacesyou can access each network card detected by the system and
you can select between a static configuration (address configured manually), dynamic configuration
(address configured via DHCP) or a Trunk 802.1Q to create VLANs.
Figure 1.18: Network interface configuration
If you configure a static interface, you can associate one or more Virtual Interfaces to this real
interface to serve additional IP addresses. These can be used to serve different networks or the same
network with different address.
To enable eBox to resolve domain names, you must indicate the address of one or several domain
name servers in Network DNS.
1.5.3 Network diagnosis
To check if you have configured the network correctly, you can use the tools available in Network
Diagnosis.
Ping is a tool that uses the ICMP network diagnosis protocol to observe whether a particular
remote host is reachable by means of a simple echo request.
17
7/28/2019 EBOX 1.2
24/207
eBox 1.2 for Network Administrators
Figure 1.19: Static configuration of network interfaces
Figure 1.20: Configuration of DNS servers
Figure 1.21: Network diagnosis tools
18
7/28/2019 EBOX 1.2
25/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Figure 1.22: Ping tool
19
7/28/2019 EBOX 1.2
26/207
eBox 1.2 for Network Administrators
Additionally you can use the traceroute tool that is used to determine the route taken by packages
across different networks until reaching a given remote host. This tool allows to trace the route the
packages follow in order to carry out more advanced diagnosis.
Figure 1.23: Traceroute tool
Besides, you can use the dig tool, which is used to verify the correct functioning of the name
service resolution.
Practical example A
Lets configure eBox so that it obtains the network configuration via DHCP.
Therefore:
1. Action: Access the eBox interface, go to Network Interfaces and, as network interface,
select eth0. Then choose the DHCP method. Click on Change.
20
7/28/2019 EBOX 1.2
27/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Figure 1.24: Dig tool
21
7/28/2019 EBOX 1.2
28/207
eBox 1.2 for Network Administrators
Effect: You have enabled the button Save Changes and the network interface maintains the
entered data.
2. Action: Go to Module status and enable the Network module, in order to do this, check the
box in the Status column.
Effect: eBox asks for permission to overwrite some files.
3. Action: Read the changes that are going to be made in each modified file and grant eBox the
permission to overwrite them.
Effect: You have enabled the button Save Changes and you can enable some of the modules
that depend on Network.
4. Action: Save the changes.
Effect: eBox displays the progress while the changes are implemented. Once it has finished,
you are notified.
Now eBox manages the network configuration.
5. Action: Access Network Diagnosis tools. Ping ebox-platform.com.
Effect: As a result, you are shown three successful connection attempts to the Internet server.
6. Action: Access Network Diagnosis tools. Ping the eBox of a fellow classmate.
Effect: As a result, you are shown three successful connection attempts to the host.
7. Action: Access Network Diagnosis tools. Run a traceroute to ebox-technologies.com.
Effect: As a result, you are shown a route of all the intermediate routers a packet traverses
until it reaches the destination host.
Practical example B
For the rest of the exercises of the manual, it is a good practice to enable the logs.
Therefore:
1. Action: Access the eBox interface, go to Module status and enable the Logs module. In order
to do this, check the box in the Status column.
Effect: eBox asks for permission to carry out a series of actions.
2. Action: Read the actions that are going to be made and accept them.
22
7/28/2019 EBOX 1.2
29/207
CHAPTER 1. EBOX PLATFORM: UNIFIED SERVER FOR SMES
Effect: You have enabled the button Save Changes.
3. Action: Save the changes.
Effect:
eBox displays the progress while the changes are implemented. Once it has fin-
ished, you are notified.
Now eBox has enabled the logs. You can check them at Logs Query logs in the
section Logs.
23
7/28/2019 EBOX 1.2
30/207
eBox 1.2 for Network Administrators
24
7/28/2019 EBOX 1.2
31/207
Chapter 2
eBox Infrastructure
This section explains several of the services to manage and optimize internal traffic and the infrastruc-
ture of your local network, including domain management, automatic network configuration in network
clients, publication of internal Web sites and time synchronization using the Internet. The configuration
of these services requires great efforts, although they are easier to configure with eBox.
The DHCP service is widely used to automatically configure different network parameters, such
as the IP address of a host or the gateway to be used for Internet access.
The DNS service provides access to services and hosts using names instead of IP addresses,
which are more difficult to memorize.
Many businesses use Webapplications to which only internal access is available.
2.1 Network configuration service (DHCP)
As indicated, DHCP (Dynamic Host Configuration Protocol) is a protocol that enables a device to
request and obtain an IP address from a server with a list of available addresses to assign.
The DHCP service 1 is also used to obtain many other parameters, such as the default gateway,
the network mask, the IP addresses for the name serversor the search domain, among others. Hence,
access to the network is made easier, without the need for manual configuration by clients.
When a DHCP client connects to the network, it sends a broadcast request and the DHCP server
responds to valid requests with an IP address, the lease time granted for that IP and the parameters
1 eBox uses ISC DHCP Software (https://www.isc.org/software/dhcp) to configure the DHCP service.
25
https://www.isc.org/software/dhcphttps://www.isc.org/software/dhcphttps://www.isc.org/software/dhcp7/28/2019 EBOX 1.2
32/207
eBox 1.2 for Network Administrators
explained above. The request normally occurs during the client booting period and must be completed
before going on with the remaining network services.
There are two ways of assigning addresses:
Manual: Assignment is based on a table containing physical address (MAC)/IP address mappings,
entered manually by the administrator.
Dynamic: The network administrator assigns a range of IP addresses for a request- and-grant process
that uses the lease concept with a controlled period in which the granted IP remains valid. The
server keeps a table with the previous assignments to try to reassign the same IP to a client in
successive requests.
2.1.1 DHCP server configuration with eBox
To configure the DHCP service with eBox, at least one statically configured interface is required. Once
this is available, go to the DHCP menu, where the DHCP server can be configured.
As indicated above, some network parameters can be sent with the IP address. These parameters
can be configured in the Common options tab.
Default gateway: This is the gateway to be used by the client if it is unaware of another route to
send the package to its destination. Its value can be eBox, a gateway already configured in theNetwork Routers section or a custom IP address.
Search domain: In a network with hosts named in line with .domain.com, the search domain
can be configured as domain.com. Hence, when seeking to resolve an unsuccessful domain
name, another attempt can be made by adding the search domain to the end of it.
For example, if smtp cannot be resolved as a domain, smtp.domain.com will be tried on the
client host.
The search domain can be entered or one configured in the DNS service can be selected.
Primary name server: This is the DNS server that the client will use when a name is to be resolved
or an IP address needs to be translated into a name. Its value can be eBox (if the eBox DNS
server is to be queried) or an IP address of another DNS server.
Secondary name server: DNS server that the client will use if the primary one is not available. Its
value must be the IP address of a DNS server.
26
7/28/2019 EBOX 1.2
33/207
CHAPTER 2. EBOX INFRASTRUCTURE
Figure 2.1: Overview of DHCP service configuration
27
7/28/2019 EBOX 1.2
34/207
eBox 1.2 for Network Administrators
The common options display the ranges of addresses distributed by DHCP and the addresses
assigned manually. For the DHCP service to be active, there must be at least one range of addresses
to be distributed or one static assignment. If not, the DHCP server will not serve IP addresses even if
the service is listening on all the network interfaces.
The ranges of addresses and the static addresses available for assignment from a certain inter-
face are determined by the static address assigned to that interface. Any free IP address from the
corresponding subnet can be used in ranges or static assignments.
To add a new range, click on Add new in the Ranges section. Then enter a name by which to
identify the range and the values to be assigned within the range appearing above.
Static assignments of IP addresses are possible to determined physical addresses in the Static
assignments section. An address assigned in this way cannot form part of any range.
Figure 2.2: Appearance of the advanced configuration for DHCP
The dynamic granting of addresses has a deadline before which renewal must be requested (con-
figurable in the Advanced options tab) that varies from 1,800 seconds to 7,200 seconds. Static assign-ments do not expire and, therefore, are unlimited leases.
A Lightweight Client is a special machine with no hard drive that is booted via the network by
requesting the booting image (operating system) from a lightweight client server.
28
7/28/2019 EBOX 1.2
35/207
CHAPTER 2. EBOX INFRASTRUCTURE
eBox allows the PXE server 2 to which the client must connect to be configured. The PXE service,
which is responsible for transmitting everything required for the lightweight client to be able to boot its
system, must be configured separately.
The PXE server may be an IP address or a name, in which case the path to the boot image or
eBox must be indicated, in which case the image file can be loaded.
Practical example
Configure the DHCP service to assign a range of 20 network addresses. Check from another client
host using dhclient that it works properly.
To configure DHCP, the Network module must be enabled and configured. The network interface
on which the DHCP server is to be configured must be static (manually assigned IP address) and the
range to assign must be within the subnet determined by the network mask of that interface (e.g. range
10.1.2.1-10.1.2.21 of an interface 10.1.2.254/255.255.255.0).
1. Action: Enter eBox and access the control panel. Enter Module status and enable the DHCP
module by marking its checkbox in the Status column.
Effect: eBox requests permission to overwrite certain files.
2. Action: Read the changes of each of the files to be modified and grant eBox permission tooverwrite them.
Effect: The Save changes button has been enabled.
3. Action: Enter DHCP and select the interface on which the server is to be configured. The gate-
way may be eBox itself, one of the eBox gateways, a specific address or none (no routing
to other networks). Furthermore, the search domain (domain added to all DNS names
that cannot be resolved) can be defined along with at least one DNS server (primary DNS
server and optionally a secondary one).
eBox then indicates the range of available addresses. Select a subset of 20 addresses
and in Add new give a significant name to the range to be assigned by eBox.
4. Action: Save the changes.
2 Preboot eXecution Environment is an environment to boot PCs using a network interface independent of the storage
devices (such as hard drives) or operating systems installed. (http://en.wikipedia.org/wiki/Preboot_Execution_Environment)
29
http://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environmenthttp://en.wikipedia.org/wiki/Preboot_Execution_Environment7/28/2019 EBOX 1.2
36/207
eBox 1.2 for Network Administrators
Effect: eBox displays the progress while the changes are being applied. Once this is complete
it indicates as such.
eBox now manages the DHCP server configuration.
5. Action: From another PC connected to this network, request a dynamic IP from the range
using dhclient:
$ sudo dhclient eth0
There is already a pid file /var/run/dhclient.pid with pid 9922
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.1Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
wmaster0: unknown hardware address type 801
wmaster0: unknown hardware address type 801
Listening on LPF/eth0/00:1f:3e:35:21:4f
Sending on LPF/eth0/00:1f:3e:35:21:4f
Sending on Socket/fallback
DHCPREQUEST on wlan0 to 255.255.255.255 port 67
DHCPACK from 10.1.2.254bound to 10.1.2.1 -- renewal in 1468 seconds.
6. Action: Verify from Dashboard that the address appearing in the widget DHCP leases is dis-
played.
2.2 Name resolution service (DNS)
As explained, the function of the DNS (Domain Name System) is to convert hostnames that are read-
able and easy to remember by users into IP addresses and vice versa. The name domain system is a
tree architecture, the aims of which are to avoid the duplication of data and to facilitate the search for
domains. The service listens to requests in port 53 of the UDP and TCP transport protocols.
30
7/28/2019 EBOX 1.2
37/207
CHAPTER 2. EBOX INFRASTRUCTURE
2.2.1 DNS cache server configuration with eBox
A name server can act as a cache 3 for queries that it cannot respond to. In other words, it will initially
query the appropriate server, as it is based on a database without data, but the cache will subsequently
reply, with the consequent decrease in response time.
At present, most modern operating systems have a local library to translate the names that is
responsible for storing its own domain name cache with the requests made by system applications
(browser, e-mail clients, etc.).
Practical example A
Check the correct operation of the cache name server. What is the response time with regard to the
same request www.example.com?
1. Action: Access eBox, enter Module status and enable the DNS module by marking the check-
box in the Status column.
Effect: eBox requests permission to overwrite certain files.
2. Action: Read the changes of each of the files to be modified and grant eBox permission to
overwrite them.
Effect: The Save changes button has been enabled.
3. Action: Go to Network DNS and add a new Domain name server with value 127.0.0.1.
Effect: eBox is established to translate names to IP and vice versa.
4. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied. Once this is complete
it is indicated as such.
eBox now manages the DNS server configuration.
5. Action: Use the Domain name resolution tool available in Network Diagnosis to check
the operation of the cache, querying the domain www.example.com consecutively and
checking the response time.
3 A cache is a collection of duplicated data from an original source, where the original data is expensive to obtain or
compute compared to the cost of reading the cache (http://en.wikipedia.org/wiki/Cache).
31
http://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cachehttp://en.wikipedia.org/wiki/Cache7/28/2019 EBOX 1.2
38/207
eBox 1.2 for Network Administrators
2.2.2 DNS server configuration with eBox
DNS has a tree structure and the source is known as . or root. Under . are the TLDs (Top Level
Domains), such as org, com, edu, net, etc. When searching in a DNS server, if it does not know the an-
swer, the tree is recursively searched until it is found. Each . in an address (e.g. home.example.com)
indicates a different branch of the DNS tree and a different query area. The name will be traversed
from right to left.
Figure 2.3: DNS tree
Another important aspect is reverse resolution (in-addr.arpa), as it is possible to translate an IP
address to a domain name. Furthermore, as many aliases (or canonical names) as required can be
added to each associated name and the same IP address can have several associated names.
Another important characteristic of the DNS is the MX record. This record indicates the place
where the e-mails to be sent to a certain domain are to be sent. For example, where an e-mailis to be sent to [email protected], the e-mail server will ask for the MX record of
home.example.comand the service will reply that it is mail.home.example.com.
The configuration in eBox is done through the DNS menu. In eBox, as many DNS domains as
required can be configured.
To configure a new domain, drop down the form by clicking on Add new. From here, the domain
name and an optional IP address to which the domain will refer can be configured.
32
mailto:[email protected]:[email protected]:[email protected]7/28/2019 EBOX 1.2
39/207
CHAPTER 2. EBOX INFRASTRUCTURE
Once a correct domain has been created, e.g. home.example.com, it is possible to complete thehostnames list for the domain. As many IP addresses as required can be added using the names
decided. Reverse resolution is added automatically. Furthermore, as many aliases as required can
also be used for each mapping.
As an additional feature, e-mail server names can be added through mail exchangers by selecting
a name for the domains in which eBox is the authority 4 or an external one. Furthermore, a preference
can be given, the lowest value of which gives highest priority, i.e. an e-mail client will first try the server
with the lowest preference number.
For a more in-depth look into the operation of the DNS, let us see what happens depending on the
query made through the dig diagnosis tool located in Network Diagnosis.
If a query is made for one of the domains added, eBox will reply with the appropriate answer
immediately. Otherwise, the DNS server will query the root DNS servers and will reply to the user as
4 A DNS server is the authority for a domain when it has all the data to resolve the query for that domain.
33
7/28/2019 EBOX 1.2
40/207
eBox 1.2 for Network Administrators
soon as it gets an answer. It is important to be aware of the fact that the nameservers configured in
Network DNS are used by client applications to resolve names, but are not used in any way by the
DNS server. If you want eBox to resolve names using its own DNS server, you have to set up 127.0.0.1
as primary DNS server in the aforementioned section.
Practical example B
Add a new domain to the DNS service. Within this domain, assign a network address to a hostname.
From another host, check that it resolves correctly using the dig tool.
1. Action: Check that the DNS service is active through Dashboard in the Module status widget.
If it is not active, enable it in Module status.
2. Action: Enter DNS and in Add new enter the domain to be managed. A table will drop down
where hostnames, mail servers for the domain and the domain address itself can be
added. In Hostnames do the same by adding the hostname and its associated IP ad-
dress.
3. Action: Save the changes.
Effect: eBox will request permission to write the new files.
4. Action: Accept the overwriting of these files and save the changes.
Effect: The progress is displayed while the changes are being applied. Once this is complete
it indicates as such.
5. Action: From another PC connected to this network, request the name resolution using dig,
where 10.1.2.254 is, for example, the address of eBox and mirror.ebox-platform.com the
domain to be resolved:
$ dig mirror.ebox-platform.com @10.1.2.254
; DiG 9.5.1-P1 mirror.ebox-platform.com @10.1.2.254
;; global options: printcmd;; Got answer:
;; ->>HEADER
7/28/2019 EBOX 1.2
41/207
7/28/2019 EBOX 1.2
42/207
eBox 1.2 for Network Administrators
Figure 2.4: Request schema with GET headers between a client and the 200 OK response from the
server. Routers and proxies in between.
36
7/28/2019 EBOX 1.2
43/207
7/28/2019 EBOX 1.2
44/207
eBox 1.2 for Network Administrators
The server response has the same structure as the client request, changing the first row. In this
case, the first row is , which corresponds to the response code and a text
with the explanation, respectively.
The most common response codes 7 are:
200 OK: The request has been processed correctly.
403 Forbidden: When the client has been authenticated, but does not have permission to operate on
the resource requested.
404 Not Found: When the resource requested has not been found.
500 Internal Server Error: When an error has occurred in the server that has prevented the request
from being correctly run.
HTTP has some limitations given its simplicity. It is a protocol with no state; therefore, the server is
unable to remember the clients between connections. This can be avoided by using cookies. Moreover,
the server cannot start a conversation with the client. Should the client want to be notified by the server
of something, this must be periodically requested.
The HTTP service can offer dynamic data produced by different software applications. The client
requests a certain URL with specific parameters and the software manages the request to return
a result. The first method used was known as CGI (Common Gateway Interface), which runs one
command per URL. This mechanism has mainly been deprecated due to its memory overload and low
performance when compared to other solutions:
FastCGI: A communication protocol between software applications and the HTTP server, with a single
process to resolve requests made by the HTTP server.
SCGI (Simple Common Gateway Interface): This is a simplified version of the FastCGIprotocol.
Other expansion mechanisms: Dependent on the HTTP server allowing the software to be run
within the server, this solution depends on the HTTP server used.
2.3.2 The Apache Web server
The Apache HTTP server 8 has been the most popular program for serving websites since April 1996.
eBox uses this server for both its web interface and the web server module. Its aim is to offer a secure,
7 The full list of response codes for the HTTP server can be found in section 10 of RFC 2616.8 Apache HTTP Server project http://httpd.apache.org.
38
http://tools.ietf.org/html/rfc2616.htmlhttp://tools.ietf.org/html/rfc2616.htmlhttp://httpd.apache.org/http://httpd.apache.org/http://httpd.apache.org/http://tools.ietf.org/html/rfc2616.html7/28/2019 EBOX 1.2
45/207
CHAPTER 2. EBOX INFRASTRUCTURE
efficient and extendible system in line with HTTP standards. Its capacity to be extensible is based on
adding features using modules that extend the core.
Other programming interfaces include mod_perl, mod_python, TCL or PHP, which allows for web-
sites to be created using programming languages such as Perl, Python, TCL or PHP. It has several
authentication systems such as mod_access and mod_auth, among others. Furthermore, it allows
the use of SSL and TLS with mod_ssl and provides a proxy module with mod_proxy and a powerful
URL rewriting system with mod_rewrite. It has a total of 57 officially documented modules that add
functionality, although this number increases to 168 if you include those registered for the 2.2 version
of Apache 9.
2.3.3 Virtual domains
The purpose of a virtual domain is to host websites for several domain names in the same server.
If the server has a public IP address for each website, a configuration can be made for every
network interface. When seen from outside, they look like several hosts in the same network. The
server will redirect the traffic from each interface to its corresponding website.
However, it is more common to have one or two IPs per host. In this case, each website will
have to be associated with its domain. The web server will read the headers sent in the client request
and, depending on the domain of the request, will redirect it to one website or another. Each of these
configurations is known as Virtual Host, as there is only one host in the network, but the existence of
several is simulated.
2.3.4 HTTP server configuration with eBox
Through Web, it is possible to access the web service configuration.
In the first form, it is possible to modify the following parameters:
Listening port Where the daemon is to listen to HTTP requests.
Enable public_html per user Through this option, if the Samba module (eBox as file server) is en-
abled, users can create a subdirectory known as public_html in their private directory within
samba that will be displayed by the web server via the URL http:///~/,
where username is the name of the user that published contents.
9 There is a full list at http://modules.apache.org.
39
http://modules.apache.org/http://modules.apache.org/http://modules.apache.org/7/28/2019 EBOX 1.2
46/207
eBox 1.2 for Network Administrators
Figure 2.5: Appearance of the Web module configuration
With regard to the Virtual domains, the only configuration needed is the name for the domain and
whether it is enabled or not. When a new domain is created, simply create an entry in the DNS module
(if it is installed) so that, if the domain www.company.com is added, the domain company.com will be
created with the host name www, the IP address of which will be the address of the first static network
interface.
To publish data, it must be under /var/www/, where vHostName is the name of the
virtual domain. If any customized configuration is to be added, for example capacity to load applications
in Python using mod_python, the necessary configuration files for this virtual domain must be created
in the directory /etc/apache2/sites-available/user-ebox-/.
Practical example
Enable the web server. Check that it is listening on port 80. Configure it to listen on a different port
and verify that the change becomes effective.
1. Action: Access eBox, enter Module status and enable the Web server module by marking the
checkbox in the Status column. This indicates the changes to be made in the system. Allowthe operation by clicking on the Accept button.
Effect: The guilabel:Save changes button has been enabled.
2. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied. Once this is complete
it indicates as such.
40
7/28/2019 EBOX 1.2
47/207
CHAPTER 2. EBOX INFRASTRUCTURE
The web server is enabled by default on port 80.
3. Action: Using a browser, access the following address: http://eBox_ip/.
Effect: An Apache default page will be displayed with the message It works!.
4. Action: Access the Webmenu. Change the port value from 80 to 1234 and click on the Change
button.
Effect: The guilabel:Save changes button has been enabled.
5. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied. Once this is complete
it indicates as such.
Now the web server is listening on port 1234.
6. Action: Use the browser again to try to access http:///.
Effect: A response is not obtained and, after a while, the browser will indicate that it was
impossible to connect to the server.
7. Action: Now try to access http://:1234/.
Effect: The server responds and the It works! page is obtained.
2.3.5 Exercises
Exercise A
Create a Virtual domain called www.ebox-course.comwith a test page. Use a browser to check that
you can access it correctly, making sure that eBox is your DNS server and can resolve this domain.
41
7/28/2019 EBOX 1.2
48/207
eBox 1.2 for Network Administrators
2.4 Time synchronization service (NTP)
The NTP (Network Time Protocol) protocol was designed to synchronize the clocks in PCs in an
unreliable network with jitter. This service listens on port 123 of the UDP protocol. It is designed to
withstand the effects of jitter.
It is one of the oldest protocols of the Internet still in use (since before 1985). NTP version 4 can
reach a precision of up to 200 s or greater if the clock is in the local network. There are up to 16 levels
defining the distance of the reference clock and its associated precision. Level 0 is for atomic clocks
that are not connected to the network but to another level 1 computer with RS-232 serial connection.
Level 2 are the computers connected via NTP to those of a higher level and are normally offered by
default in the most common operating systems, such as GNU/Linux, Windows or MacOS.
2.4.1 NTP server configuration with eBox
To configure eBox to use the NTP architecture 10, eBox must first be synchronized with an external
server of a higher level (normally 2) offered via System Date/Time. A list of these can be found
in the NTP pool (pool.ntp.org), which is a dynamic collection of NTP servers that voluntarily give their
clients a relatively precise time over the Internet.
Once eBox has been synchronized as an NTP client 11, eBox can also act as an NTP server with
a globally synchronized time.
10 NTP public service project http://support.ntp.org/bin/view/Main/WebHome.11 eBox uses ntpdate as its NTP client. http://www.ece.udel.edu/~mills/ntp/html/ntpdate.html.
42
http://support.ntp.org/bin/view/Main/WebHomehttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://www.ece.udel.edu/~mills/ntp/html/ntpdate.htmlhttp://support.ntp.org/bin/view/Main/WebHome7/28/2019 EBOX 1.2
49/207
CHAPTER 2. EBOX INFRASTRUCTURE
Practical example
Enable the NTP service and synchronize the time of your host using the command ntpdate. Check
that both eBox and the client host are set to the same time.
1. Action: Access eBox, enter Module status and enable the ntp module by marking the check-
box in the Status column. This will show the changes to be made to the system. Allow the
operations by clicking on the Accept button.
Effect: The Save changes button has been enabled.
2. Action: Access the System
Date/Time menu. In the Synchronization with NTP serverssection, select Enabled and click on Change.
Effect: The option to manually change the date and time is replaced by fields to enter the NTP
servers with which to synchronize.
3. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied. Once this is com-
pleted, it notifies the user.
Your eBox host will act as an NTP server.
4. Action: Install the ntpdate package in your client host. Run the command ntpdate .
Effect: The time on the host will have been synchronized with that of the eBox host.
You can check this by running the date command on both hosts.
43
7/28/2019 EBOX 1.2
50/207
eBox 1.2 for Network Administrators
44
7/28/2019 EBOX 1.2
51/207
Chapter 3
eBox Gateway
This section considers the main function of eBox as a gateway. eBox Gateway can make your network
more reliable, optimized for your bandwidth and help you control whatever enters your network.
This section includes a chapter that focuses on the functionality of the eBox firewall module, which
enables you to manage rules for the incoming and outgoing traffic of your internal network.
The firewall is not configured directly, but is supported by another two modules that provide easier
network object and service management, as described in the first part of the section.
Load balancing can be applied for Internet access, along with different rules depending on the
outgoing traffic. Furthermore, this section explains traffic shaping, which is used to ensure critical
applications are served correctly and to even limit any applications generating a lot of network traffic.
Finally, there is an introduction to the HTTP proxy service offered by eBox. This service allows or
denies access from the internal network to the WWW using different filtering rules, including content-
based ones.
3.1 High-level eBox network abstractions
3.1.1 Network objects
Network objects are a way of giving a name to a network element or a group of elements. They are
used to simplify and subsequently facilitate network configuration management by being able to select
behavior for these objects.
45
7/28/2019 EBOX 1.2
52/207
eBox 1.2 for Network Administrators
To give an example, they can be used to give a significant name to an IP address or a group of IP
addresses. In the case of the latter, instead of defining access rules for each of the addresses, they
merely have to be defined for the network object so that all the addresses belonging to the object take
on this configuration.
Figure 3.1: GRAPHIC: representation of network objects
Management of network objects with eBox
For object management in eBox, go to the submenu Objectsand create new objects with an associated
name and a series of members.
Objects can be created, modified and deleted. These objects will be used later by other modules,
such as the firewall, the Web cache proxy or the mail service.
Each one will have at least the following values: name, IP address and network mask using CIDR
notation. The physical address will only make sense for members with a single physical machine.
46
7/28/2019 EBOX 1.2
53/207
CHAPTER 3. EBOX GATEWAY
Figure 3.2: General appearance of the network object module
The members of an object can overlap the members of another; therefore, great care must be
taken when using them in the remaining modules to obtain the desired configuration and avoid security
problems.
3.1.2 Network services
A network service is the abstraction of one or more applicable protocols that can be used in other
modules, such as the firewall or the traffic-shaping module.
The use of the services is similar to that of the objects. It was seen that with the objects it was
possible to make an easy reference to a group of IP addresses using a significant name. It is also
possible to identify a group of numerical ports that are difficult to remember and time-consuming to
enter several times in different configurations, with a name in line with its function (more typically, the
name of the level-7 protocol or application using these ports).
47
7/28/2019 EBOX 1.2
54/207
eBox 1.2 for Network Administrators
Figure 3.3: GRAPHIC: client connection to a server
Management of network services with eBox
For management in eBox, go to the submenu Services, where it is possible to create new services,
which will have an associated name, description and a flag indicating whether the service is external
or internal. A service is internal if the ports configured for that service are being used in the machine
in which eBox is installed. Furthermore, each service has a series of members. Each one will have
the following values: protocol, source port and destination port.
The value any can be entered in all of these fields, e.g. to specify services in which the source
port is indifferent.
Bear in mind that in network services based on the most commonly-used client/server model,
clients often use any random port to connect to a known destination port. Well-known ports are con-
sidered those located between 0 and 1023, registered ports the ones located between 1024 and 49151
and private or dynamic ports are those located between 49152 and 65535.
A list of known network services approved by the IANA 1 for UDP and TCP protocols can be found
in the /etc/services file.
The protocol can be TCP, UDP, ESP, GRE or ICMP. There is also a TCP/UDP value to avoid having
to add the same port used for both protocols twice.
1 The IANA (Internet Assigned Numbers Authority) is responsible for establishing the services associated with well-
known ports. The full list can be found at http://www.iana.org/assignments/port-numbers.
48
http://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/port-numbershttp://www.iana.org/assignments/port-numbers7/28/2019 EBOX 1.2
55/207
CHAPTER 3. EBOX GATEWAY
Figure 3.4: General appearance of the network service module
Services can be created, modified and deleted. These services will be used later on in the firewall
or traffic shaping by merely referring to the significant name.
Practical example
Create an object and add the following: a host with no MAC address, a host with a MAC address
and a network address.
To do so:
1. Action: Access Objects. Add accountancy hosts.
Effect: The accountancy hosts object has been created.
2. Action: Access Members of the accountancy hosts object. Create accountancy server
member with a network IP address, e.g. 192.168.0.12/32. Create another member backup
accountancy server with another IP address, e.g. 192.168.0.13/32, and a valid MAC address,
e.g. 00:0c:29:7f:05:7d. Finally, create the accountancy PC network member with the IP ad-
dress of a subnet of your local network, e.g. 192.168.0.64/26. Finally, go to Save changes to
confirm the configuration created.
Effect: The accountancy hosts object will contain three permanent members, i.e. accoun-
tancy server, backup accountancy server and accountancy PC network.
49
7/28/2019 EBOX 1.2
56/207
eBox 1.2 for Network Administrators
Exercises
Exercise A
Create a service called IRC with the following characteristics:
Protocol: TCP
External
Single destination port: 6667
Exercise B
Change the configuration of the previous service to become internal and then try to change the
port where eBox is listening in System General to 6667. Did you have any problems? Why?
3.2 Firewall
We will configure a firewall to see the application of the network objects and services. A firewall is
a system that strengthens the access control policies between networks. In our case, a host will be
devoted to protecting our internal network and eBox from attacks from the external network.
A firewall allows the user to define a series of access policies, such as which hosts can be con-
nected to or which can receive data and the type thereof. In order to do this, it uses rules that can
filter traffic depending on different parameters, such as the protocol, source or destination addresses
or ports used.
Technically speaking, the best solution is to have a computer with two or more network cards
that isolate the different connected networks (or segments thereof) so that the firewall software is
responsible for connecting the network packages and determining which can be passed or not and towhich network they will be sent. By configuring the host as a firewall and router, traffic packages can
be exchanged between networks in a more secure manner.
50
7/28/2019 EBOX 1.2
57/207
CHAPTER 3. EBOX GATEWAY
3.2.1 The firewall in GNU/Linux: Netfilter
Starting with the Linux 2.4 kernel, a filtering subsystem known as Netfilter is provided to offer packet
filtering and Network Address Translation (NAT) 2. The iptables command interface allows for the
different configuration tasks to be performed for the rules affecting the filtering system (filter table),
rules affecting packet translation with NAT (nat table) or rules to specify certain packet control and
handling options (mangle table). It is extremely flexible and orthogonal to handle, although it adds a
great deal of complexity and has a steep learning curve.
3.2.2 eBox security model
The eBox security model is based on seeking to provide the utmost default security, in turn trying to
minimize the work of the administrator regarding configuration when new services are added.
When eBox acts as a firewall, it is normally installed between the local network and the router that
connects that network to another, normally Internet. The network interfaces connecting the host to the
external network (the router) must be marked as such. This enables the Firewall module to establish
default filtering policies.
Figure 3.5: Internal network - Filtering rules - External network
The policy for external interfaces is to deny all attempts of new connections to eBox. Internal
interfaces are denied all connection attempts, except those made to internal services defined in the
Services module, which are accepted by default.
Furthermore, eBox configures the firewall automatically to provide NAT for packages entering
through an internal interface and exiting through an external interface. Where this function is not
2 NAT (Network Address Translation): this is the process of rewriting the source or destination of an IP packet as it
passes through a router or firewall. Its main use is to provide several hosts in a private network with Internet access
through a single public IP.
51
7/28/2019 EBOX 1.2
58/207
eBox 1.2 for Network Administrators
required, it may be disabled using the nat_enabled variable in the firewall module configuration file in
/etc/ebox/80firewall.conf.
3.2.3 Firewall configuration with eBox
For easier handling of iptables in filtering tasks, the eBox interface in Firewall Package filtering is
used.
Where eBox acts as a gateway, filtering rules can be established to determine whether the traffic
from a local or remote service must be accepted or not. There are five types of network traffic that canbe controlled with the filtering rules:
Traffic from an internal network to eBox (e.g. allow SSH access from certain hosts).
Traffic among internal networks and from internal networks to the Internet (e.g. forbid Internet
access from a certain internal network).
Traffic from eBox to external networks (e.g. allow files to be downloaded by FTP from the host
using eBox).
Traffic from external networks to eBox (e.g. enable the Jabber server to be used from the
Internet).
Traffic from external networks to internal networks (e.g. allow access to an internal Webserver
from the Internet).
Bear in mind that the last two types of rules may jeopardize eBox and network security and,
therefore, must be used with the utmost care. The filtering types can be seen in the following graphic:
eBox provides a simple way to control access to its services and to external services from an
internal interface (where the intranet is located) and the Internet. It is normally object-configured.
Hence, it is possible to determine how a network object can access each of the eBox services. For
example, access could be denied to the DNS service by a certain subnet. Furthermore, the Internet
access rules are managed by eBox too, e.g. to configure Internet access, outgoing packages to TCP
ports 80 and 443 to any address have to be allowed.
Each rule has a source and destination that depend on the type of filtering used. For example,
the filtering rules for eBox output only require the establishing of the destination, as the source is
always eBox. A specific service or its reverse can be used to deny all output traffic, for example,
except SSH traffic. In addition, it can be given a description for easier rule management. Finally,
each rule has a decision that can have the following values:
Accept the connection.
52
7/28/2019 EBOX 1.2
59/207
CHAPTER 3. EBOX GATEWAY
Figure 3.6: GRAPHIC: types of filtering rules
Figure 3.7: List of package filtering rules from internal networks to eBox
53
7/28/2019 EBOX 1.2
60/207
eBox 1.2 for Network Administrators
Deny connection by ignoring the incoming packages and making the source suppose that con-
nection could not be established.
Deny connection and also record it. Thus, through Logs -> Log query of the Firewall, it is
possible to see whether a rule is working properly.
Port redirection
Port redirections (destination NAT) are configured through Firewall Redirection, where an external
port can be given and all traffic routed to a host listening on a certain port can be redirected by
translating the destination address.
To configure a redirection, the following fields need to be specified: interface where the translation
is to be made, the original target (this could be eBox, an IP address or an object), the original
destination port (this could be any, a range of ports or a single port), the protocol, the source from
where the connection is to be started (in a normal configuration, its value will be any), the target IP
address and, finally, the destination port, where the target host is to receive the requests, which may
or may not be the same as the original.
According to the example, all connections to eBox through the eth0 interface to port 8080/TCP will
be redirected to port 80/TCP of the host with IP address 10.10.10.10.
54
7/28/2019 EBOX 1.2
61/207
CHAPTER 3. EBOX GATEWAY
Practical example
Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a
service and a firewall rule so that an internal host can access the service.
To do so:
1. Action: Access eBox, enter Module status and enable the Firewall module by marking the
checkbox in the Status column.
Effect: eBox requests permission to take certain actions.
2. Action: Read the actions to be taken and grant permission to eBox to do so.
Effect: The Save changes button has been enabled.
3. Action: Create an internal service as in Exercise A of section High-level eBox network abstrac-
tions through Services with the name netcat and with the destination port 6970. Then go to
Firewall Package filtering in Filtering rules from internal networks to eBox and add the
rule with at least the following fields:
Decision : ACCEPT
Source : Any
Service : netcat. Created in this action.
Once this is done, Save changes to confirm the configuration.
Effect: The new netcat service has been created with a rule for internal networks to connect
to it.
4. Action: From the eBox console, launch the following command:
nc -l -p 6970
5. Action: From the client host, check that there is access to this service using the command nc:
nc 6970
Effect: You can send data that will be displayed in the terminal where you launched netcat in
eBox.
55
7/28/2019 EBOX 1.2
62/207
eBox 1.2 for Network Administrators
3.2.4 Exercises
Exercise A
Add a rule to enable a host in the internal network to browse. Check whether this is possible.
Exercise B
Use the netcat program to create a simple server that listens on port 6970 in the eBox host. Add a
service and a firewall rule so that an external host can access the service.
Exercise C
Add a redirection so that an external host can connect via ssh to an internal host accessible through
eBox.
Exercise D
Using the iptables command, find the filtering and NAT rule that eBox has added in the previousexercises.
3.2.5 Suggested exercises
Exercise E
The firewall is the most common source of problems when testing network services. Therefore, it is
useful to know how to allow all traffic in any direction. How would you do it?
56
7/28/2019 EBOX 1.2
63/207
CHAPTER 3. EBOX GATEWAY
3.3 Routing
3.3.1 Routing tables
The term routing refers to the action of deciding through which interface a certain packet must be sent
from a host. The operating system has a routing table with a set of rules to make this decision.
Each of these rules has different fields, although the three most important ones are: destinatino
address, interface and router. These must be read as follows: to reach a certain destination ad-
dress, the packet must be directed through a router, which is accessible through a certain interface.
When the message arrives, its destination address is compared to the entries in the table and is
sent through the interface indicated in the rule that matches. The best match is considered the most
specific rule. For example, if a rule is specified indicating that to reach network A (10.15.0.0/16), router
A must be used and another rule indicates that to reach network B (10.15.23.0/24), which is a subnet
of A, router B must be used. If a packet arrives with destination 10.15.23.23/32, then the operating
system will decide to send it to router B, as there is a more specific rule.
All hosts have at least one routing rule for the loopback interface, or local interface, and additional
rules for other interfaces that connect it to other internal networks or to Internet.
To manually configure a static route table, Network Routes is used (basically it is an interface
for the route or ip route commands). These routes may be overwritten if the DHCP protocol is used.
Figure 3.8: Route configuration
57
7/28/2019 EBOX 1.2
64/207
eBox 1.2 for Network Administrators
Gateway
When sending a packet, if no route matches and there is a gateway configured, it will be sent through
the gateway.
The gateway is the route by default for packets sent to other networks.
To configure a gateway, use Network Routers.
Name: Name identifying the gateway.
IP address: IP address of the gateway. This address must be accessible from the host containing
eBox.
Interface: Network interface connected to the gateway. Packages sent to the gateway will be sent
through this interface.
Upload/Download: Upload and download rates supported by the gateway. These values are used by
the traffic shaping module.
Weight: The heavier the weight, the more traffic will be directed to this gateway when load balancing
is enabled.
Default: Indicates if this gateway should be used as the default one.
58
7/28/2019 EBOX 1.2
65/207
CHAPTER 3. EBOX GATEWAY
Subnets and subnet routing
As indicated above, initially there were classes of networks with associated fixed network masks, which
were 8-bit multiples. Due to the lack of scalability of this approach, CIDR (Classless Inter-Domain
Routing) was created to allow for network masks of a variable size to be used, allowing, for example,
for a class C network to be divided into several subnets of a smaller size or to aggregate several class
C subnets into one of a larger size. This allows:
A more effective use of the scarce IPv4 address space.
Better use of the hierarchy in address assignment (adding of prefixes), decreasing routing over-
load throughout the Internet.
The number of bits interpreted as the subnet identifier is given by a netmask that is of the same
length as the IP address. To find the network of an IP address with its mask, proceed as follows:
Address with full stops Binary
IP address 192.168.5.10 11000000.10101000.00000101.00001010
Netmask 255.255.255.0 11111111.11111111.11111111.00000000
Network portion 192.168.5.0 11000000.10101000.00000101.00000000
CIDR also introduced a new nomenclature that can be seen compared to the above in the following
table:
CIDR Class N Hosts Mask
/32 1/256 C 1 255.255.255.255
/31 1/128 C 2 255.255.255.254
/25 1/2 C 128 255.255.255.128
/24 1 C 256 255.255.255.0
/21 8 C 2048 255.255.248.0
Practical example A
You will now configure the network interface statically. The class will be divided into two subnets.
To do so:
1. Action: Access the eBox interface, enter Network Interfaces and, for the network inter-
face eth0, select the :guilabel:Static method. As the IP address, enter that indicated by the
instructor. As the Netmask, use 255.255.255.255.0. Click on the Change button.
59
7/28/2019 EBOX 1.2
66/207
eBox 1.2 for Network Administrators
The network address will be of the form 10.1.X.Y, where 10.1.X corresponds to the network and
Y to the host. These values will be used from now on.
Enter Network DNS and click on Add. As the Name server enter 10.1.X.1. Click on Add.
Effect: The Save changes button has been enabled and the network interface keeps the data
entered. A list is displayed containing the name servers, including the recently created
server.
2. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied.
3. Action: Access Network Diagnosis. Ping ebox-platform.com.
Effect: The following is given as the result:
connect: network is unreachable
4. Action: Access Network Diagnosis. Ping to an eBox of a classmate part of the same
subnet.
Effect: Three satisfactory connection attempts to the host are displayed as the result.
5. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet.
Effect: The following is given as the result:
connect: network is unreachable
Practical example B
You will now configure a route to access hosts in other subnets.
To do so:
1. Action: Access the eBox interface, enter Network Routes and select Add new. Complete
the form with the following values:
Network 10.1.X.0 / 24
Gateway 10.1.1.1
Description route to the other subnet
60
7/28/2019 EBOX 1.2
67/207
CHAPTER 3. EBOX GATEWAY
Click on the Add button.
Effect: The Save changes button has been enabled. A list is displayed containing the routes,
including the recently created one.
2. Action: Save the changes.
Effect: eBox displays the progress while the changes are being applied.
3. Action: Access Network Diagnosis. Ping ebox-platform.com.
Effect: The following is given as the result:
connect: network is unreachable
4. Action: Access Network Diagnosis. Ping to the eBox of a classmate in the other subnet.
Effect: Three satisfactory connection attempts to the host are displayed as the result.
Practical example C
You will now configure a gateway to connect to the remaining networks.
To do so:
1. Action: Access the eBox interface, enter Network Routes and delete the route created
during the previous exercise.
Enter Network Routers and select Add new. Complete with the following data:
Name Default Gateway
IP address 10.1.X.1
Interface eth0
Upload 0
Download 0
Weight 1
Default yes
Click on the Add button.
61
7/28/2019 EBOX 1.2
68/207
eBox 1.2 for Network Administrators