Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

Using eBox As A Gateway: Firewall, Traffic Shaping, HTTP Proxy And More


eBox Platform is the Linux small business server that allows you to manage all your network services like firewall, DHCP, DNS, VPN, proxy, IDS, mail, file and printer sharing, VoIP, IM and much more. These functionalities are tightly integrated, automating most tasks, avoiding mistakes and saving time for system administrators.

This article will show you step by step how to use eBox as a Gateway, featuring network configuration, load balancing between two Internet connections with WAN failover and multigateway rules for policy routing, traffic shaping, DHCP and DNS cache for the LAN network and HTTP proxy with different content filtering policies and antivirus.

 

0.- Scenario

This scenario could be a typical Gateway deployment in a production environment like in a high school or a company with a maximum of 250 users with strict content filtering requirements and multiple Internet connections. In this example we will show how to configure two Internet routers with a network card for each one. As our bandwidth need increases, adding more routers will be as easy as adding a new gateway, in this case all of them could be connected to the same interface using IP addresses within the same subnet.

Our server will have 3 network interfaces, eth0 (192.168.2.254/24) and eth2 (192.168.1.254/24) as the WAN (external) interfaces connected to the routers ADSL1 (192.168.2.1/24) and ADSL2 (192.168.1.254/24). eth1 will be the LAN interface (192.168.100.254/24).

 

1.- Installation

eBox Platform runs on standard x86 hardware, just make sure that Ubuntu supports your server. The system installation can be done in two different ways:

  • Using the eBox Platform Installer (recommended). eBox Platform installation and deployment is easier as all the dependencies are on a single CD and in addition, some preconfiguration is made during the installation process.
  • Using an existing Ubuntu LTS Server Edition installation. You need to add eBox Platform PPA repositories to your sources.list and install the packages you are interested in.

Refer to our last article for more information on the installation, check our wiki Installation Guide page or download our preinstalled Virtual Machine image.

 

2.- Network configuration

First thing to do is to set up network interfaces. Go to Network -> Interfaces and, in this case, configure static IP addresses and their netmasks. On external interfaces (eth0 and eth2) remember to check the WAN option:

network_interfaces

Then, configure eBox to use our local DNS caching server on Network -> DNS:

network_dns

After that, let’s take a look at the gateways. Go to Network -> Gateways and define the two gateways. You can give them names to remember which one you talking about and use the Weight parameter to define the relation of bandwidth capacity of each connection. In our example, as both have the same speed, we give them weight 1:

network_gateways

3.- Firewall

By default, eBox will apply strict rules on the external interfaces and will allow outgoing connection from the LAN and from the eBox server itself.

The firewall allows to setup complex firewall policies and as every module applies their rules there, it’s really easy for the system administrator to manage the rules without making mistakes.

Rules are classified in 5 groups following all the traffic workflow we can find under Firewall -> Packet Filter:

  • Filtering rules from internal networks to eBox
  • Filtering rules for internal networks
  • Filtering rules for traffic coming out from eBox
  • Filtering rules from external networks to eBox
  • Filtering rules from external networks to internal networks

Let’s consider the following rules for our example:

firewall_internal_to_ebox

firewall_internal_networks

firewall_outgoing

firewall_external_to_ebox

4.- Multigateway setup

Now, to enable balancing between both gateways, this is as easy as going to Network -> Balance Traffic and checking the Balance Traffic checkbox:

network_multigw

Additionally, multigateway rules can be defined to force connections going through one of the gateways based on source, destination or port.

With the WAN failover feature, you can configure a set of probes: pings, DNS queries or HTTP requests to check if your gateway and Internet connection is working properly. If a percentage of probes fail, the gateway is disabled and in the next test, we try again to see if it’s back working.

network_wanfailover

Multigateway rules for the failing gateways are disabled and use the default interface. When the gateways come back, they are set up again automatically.

 

5.- Traffic shaping

Traffic shaping, also known as Quality of Service (QoS) is important to establish the priorities between our outgoing traffic, giving more priority to the interactive services like ICMP, DNS or VoIP and giving less priority to the file transfers and P2P. eBox supports traffic shaping rules based on source, destination, ports and application (Layer 7) patterns:

tc

We will do the same for the other external interface eth2.

 

6.- DHCP, DNS cache and NTP

To easily configure all the computers on our LAN network, we will need a DHCP server, a DNS server and a NTP server.

DNS caching server and NTP server will work out of the box when we enable the modules. To configure DHCP, just go to the DHCP menu. There, set up the eBox as the default gateway, DNS, NTP and maybe other advanced options and a network range for the DHCP pool. Static leases based on MAC and other features like dynamic DNS or PXE are also possible.

dhcp

7.- HTTP proxy

The last module to configure in order to have a full featured Gateway is our HTTP proxy. eBox uses Squid and Dansguardian for this. The HTTP proxy module uses the network objects to apply the rules, like Firewall or Traffic Shaping.

As we will be applying two different policies, we are going to create an object called lan for the whole LAN and other one for some servers we have within the LAN whose traffic won’t be filtered at all. We go to the Objects menu and we create a new object lan with one member with the subnet 192.168.100.0/24 and other called -servers with the addresses of our servers:

objects

7.1.- General configuration

We will be able to set up the default policy and the domains that won’t be stored on the Squid cache under HTTP Proxy -> General Configuration. Default policy can be:

  • Always allow: Allow all requests
  • Filter: Filter all requests
  • Always deny: Deny all requests, only allow explicitly defined

Authorized options are not compatible with Transparent Proxy so these won’t be considered for this scenario.

proxy1

7.2.- Bandwidth throttling

The HTTP Proxy -> Bandwidth Throttling feature allows to control large downloads. When downloading a file, after the defined file size, the proxy speeds down the download to the defined rate. This policy can be applied to the whole LAN using the Delay Pools Class 1 or per client using the Delay Pools Class 2. On this example we are not limiting the download speed per subnet but per client: a file smaller than 50KB is downloaded at full speed, on larger ones, after these first 50KB, the limit speed is set to 512 KBps:

proxy2

7.3.- Filtering profiles

On HTTP Proxy -> Filter Profiles we can define different filtering profiles. The default profile is applied to everyone. With these profiles you can force virus analysis on downloaded files, dynamic filtering based on keywords level, file extensions and MIME types policies. You can also define blacklists, whitelists, block unknown addresses and upload URL databases to allow or forbid categories.

proxy4

proxy7

When authenticated, these different profiles can be applied to different groups and when using Transparent Proxy, to network objects. You can also apply the default policies Always allow or Always deny for each group or object:

proxy3

8.- Logs and alerts

Using the Logs module you will be able to query and rotate all the logs of the services in the system. A unified query form exists to filter and understand the events in the logs without having to learn their format.

logs2

Unified logs show information over a period of time allowing to review the service behavior.

logs3

These logs allow you to create events and alerts to inform system administrator on how the server is working.

 

9.- About

eBox Platform is the open source alternative to Windows Small Business Server. eBox Technologies is the company that sponsors the development of the eBox Platform project under the GPL2 license and aims at offering small and medium businesses all over the globe easy and affordable network management tools and services. eBox Technologies is a channel-focused company that provides eBox Partners, IT service and solution providers, a full portfolio of eBox based subscription services, support and training.

The author, Jorge Salamero Sanz, works for eBox Technologies as developer and system analyst.

If you liked eBox, also check the article Using eBox as a Windows Primary Domain Controller published earlier on Kreationnext.

 

 

Comments

comments