Using eBox As A Gateway: Firewall, Traffic Shaping, HTTP Proxy And More
eBox Platform is the Linux small business server that allows you to manage all your network services like firewall, DHCP, DNS, VPN, proxy, IDS, mail, file and printer sharing, VoIP, IM and much more. These functionalities are tightly integrated, automating most tasks, avoiding mistakes and saving time for system administrators.
This article will show you step by step how to use eBox as a Gateway, featuring network configuration, load balancing between two Internet connections with WAN failover and multigateway rules for policy routing, traffic shaping, DHCP and DNS cache for the LAN network and HTTP proxy with different content filtering policies and antivirus.
This scenario could be a typical Gateway deployment in a production environment like in a high school or a company with a maximum of 250 users with strict content filtering requirements and multiple Internet connections. In this example we will show how to configure two Internet routers with a network card for each one. As our bandwidth need increases, adding more routers will be as easy as adding a new gateway, in this case all of them could be connected to the same interface using IP addresses within the same subnet.
Our server will have 3 network interfaces, eth0 (192.168.2.254/24) and eth2 (192.168.1.254/24) as the WAN (external) interfaces connected to the routers ADSL1 (192.168.2.1/24) and ADSL2 (192.168.1.254/24). eth1 will be the LAN interface (192.168.100.254/24).
eBox Platform runs on standard x86 hardware, just make sure that Ubuntu supports your server. The system installation can be done in two different ways:
- Using the eBox Platform Installer (recommended). eBox Platform installation and deployment is easier as all the dependencies are on a single CD and in addition, some preconfiguration is made during the installation process.
- Using an existing Ubuntu LTS Server Edition installation. You need to add eBox Platform PPA repositories to your sources.list and install the packages you are interested in.
Refer to our last article for more information on the installation, check our wiki Installation Guide page or download our preinstalled Virtual Machine image.
2.- Network configuration
First thing to do is to set up network interfaces. Go to Network -> Interfaces and, in this case, configure static IP addresses and their netmasks. On external interfaces (eth0 and eth2) remember to check the WAN option:
Then, configure eBox to use our local DNS caching server on Network -> DNS:
After that, let's take a look at the gateways. Go to Network -> Gateways and define the two gateways. You can give them names to remember which one you talking about and use the Weight parameter to define the relation of bandwidth capacity of each connection. In our example, as both have the same speed, we give them weight 1:
By default, eBox will apply strict rules on the external interfaces and will allow outgoing connection from the LAN and from the eBox server itself.
The firewall allows to setup complex firewall policies and as every module applies their rules there, it's really easy for the system administrator to manage the rules without making mistakes.
Rules are classified in 5 groups following all the traffic workflow we can find under Firewall -> Packet Filter:
- Filtering rules from internal networks to eBox
- Filtering rules for internal networks
- Filtering rules for traffic coming out from eBox
- Filtering rules from external networks to eBox
- Filtering rules from external networks to internal networks
Let's consider the following rules for our example: