Advanced Configurations
5.1.3 Web Access
This section allows the management of accesses and licenses of IPBrick (Figure 5.4).
Figure 5.2: Advanced Configurations - System Information - 1/2
Access definitions
• Login: admin;
• Password: 123456.
The login admin and respective password refer, unique and exclusively, to the authentication to use to accede to IPBrick through the web interface and both can be changed. It is necessary to click Change to change them.
Note: In contrast to the Administrator user this login has no work area in IPBrick.
Language definition
IPBrick is currently available in five languages:
• Portuguese;
• English;
• Spanish;
• French;
5.1 IPBrick 163
Figure 5.3: Advanced Configurations - System Information - 2/2
• Dutch.
This section allows the alteration of language in IPBrick (Figure 5.5). To ex-ecute that alteration, it is only necessary to click Modify, select the intended language and afterwards click in Apply Configurations so that the alterations become effective.
External WEB access
To accede to the IPBrick configuration interface through the Internet (External Web Access), is necessary to click Change and choose ”Yes” (Figure 5.4). You should also activate the HTTPS service to the Internet. It is necessary to do this too:
• Active the HTTPS for Internet (IPBrick.C - Firewall - Services e choose Active in the State;
• If the IPBrick is connected to the router internal interface (without public address), is necessary in router to do a DNAT to the port 443 for the IPBrick;
IPBrick licence
This section is about the licence process of IPBrick. When installing IPBrick, you will have an experimental license of 30 days of use. When this license expires,
Figure 5.4: Advanced Configurations - Web Access
the server is automatically reconfigured for the base configurations. The solution is to install a permanent license.
To install a permanent licence is necessary to click in the option Download
server identification for licence generation and send the file.dat to [email protected] asking for licence activation. You need to speciffy this information:
• Company name;
• Some information about the IPBrick server type (Intranet, Communication or VoIP server);
After receiving the answer (with an attached file) from [email protected], it is necessary to select the option Cancel Temporary Licence in the page created, insert the file received (will be licence.dat), and the licence will stay permanent.
5.1.4 Authentication
From the moment the user is created in IPBrick, there shall be a register in the database of the authentication server - LDAP1. LDAP is defined as a directory
1Lightweight Directory Access Protocol
5.1 IPBrick 165
Figure 5.5: Advanced Configurations - Language
service where is kept the information relating the computer resources of the com-pany and its users. Whenever an user intends to authenticate in a certain service with his/her username and password, the IPBrick LDAP database is consulted to validate or not the access.
Modify
IPBrick allows several authentication modes, and it is configured by default, so that all the users can authenticate themselves in IPBrick.
• IPBrick Master: Default Mode. All the services in the sever shall use the LDAP server;
• IPBrick Slave: LDAP server shall be a synchronized replica of the indi-cated IPBrick Master server, and this mode is used in a scenery with several servers. The users may authenticate themselves in this server, once there is a temporized synchronization of the LDAP database with the IPBrick Master, but there is no possibility to add users. In networks with a high number of users where there are several authentications, it is useful the use of slave authentication servers thus avoiding a congestion in the IPBrick Master net-work segment. This scenery is also of a great use in netnet-works geographically distributed;
Figure 5.6: Advanced Configuration - Authentication
• IPBrick Client: The services authenticate remotely in the indicated LDAP IPBrick server. In this case, there is no local database copy, and it is nec-essary to specify the IPBrick Master/Slave server. Normally, this way of authentication is used in a IPBrick.c in the extent of VPN, PPTP and Proxy services;
• Netbios Client: It is possible to IPBrick to become a part of the domain managed by a server previous to Windows 200x to use the NetBIOS protocol.
In a network like this, the users continue to authenticate themselves normally in the Windows machine.
• AD Domain Member (IPBrick Slave): IPBrick is a member of a domain managed by a Windows Active Directory server. The users of the network need, as always, to authenticate in AD;
• AD Domain Member (IPBrick Slave): The IPBrick Slave is also going to be a member of a AD domain, acting as a secondary IPBrick server. The use of a Slave IPBrick as a member of a AD domain may be particularly useful in the case of secondary email servers, always implying the existence of another IPBrick server configured as a member of the AD domain - Master IPBrick . NOTE: After changing the IPBrick authentication mode, during the Apply Configurations, IPBrick shall reboot automatically.
5.1 IPBrick 167
Distributed Filesystem
The users nay be physically distributed by the Master/Slave servers. Mean-while, the centralized information system - LDAP has the information about the physical location of each account. A NFS (Network File System) service makes available the accounts of the users through the network. The Automount service combines the LDAP information with NFS and makes automatically available the accounts of the users virtually in any other Master/Slave server. IPBrick allows the integration with authentication servers running in Windows operating sys-tems, namely previous Windows 200x machines (NetBIOS authentication) and after Windows 200x machines(authentication via Active Directory).
Automount
LDAP is a directory service where the relevant information of a company is kept: Users, computer resources, contacts, etc. The Automount service combines the LDAP information with NFS and makes automatically available the accounts of the users virtually in any Master/Slave server.
In the Netbios authentication, the authentication server has not as a base a LDAP service. In this configuration, IPBrick uses its own LDAP server as an auxiliary member for the other services. In the authentication mode member of the AD domain, the authentication server is a LDAP implementation. All IPBrick services are configured to use this LDAP server. However, it is necessary to extend the structure of this LDAP server to support the requisites of IPBrick server, namely the UNIX/Linux credentials and the Automount information.
NOTE: At www.ipbrick.com - Documentation Section, there is a document about the integration of IPBrick as a member of an AD domain.
Slaves
If IPBrick is in a Master IPBrick authentication mode and there are other servers which shall act in a Slave IPBrick authentication mode, it is necessary to add the Slaves machines by IP. Only then can these machines change the authen-tication mode to Slave IPBrick.
Clients
If IPBrick is in the Master IPBrick authentication mode and there are other servers which shall act in the Client IPBrick authentication mode, it is necessary to add the Clients machines by IP. Only then can these machines change the authentication mode to Client IPBrick..
5.1.5 Update
All available updates in the Downloads section of the IPBrick site should be installed from here. All you have to do is click Archive, choose the update file (.deb) and choose Insert. Next, the package shall be installed in the system (Figure 5.7).
Figure 5.7: Advanced Configurations - Update
5.2 Network
At this section we have a advanced configuration of services related to the structure of the institution network. Here is possible to define specific rules at firewall, to add static routes for other internal networks (or external), to define rules and priorities in the QoS service as well the configuration of service routing at firewall.
5.2.1 Firewall
Presentation This section deals with the IPBrick firewall management. Some of the pre-defined rules were already mentioned in the section Firewall in the chapter IPBrick.C (rules that can’t be changed by the user, only deactivated).
In the meantime the configuration of some other services demands some other rules. These rules can only by managed in part by the user in the Order section.
Nevertheless, IPBrick offers his administrator an advanced interface for the firewall management. There he can define a group of rules with high personalization ((Figure 5.8).
Top Menu Here you have links to:
• Insert new rules in advanced mode;
5.2 Network 169
Figure 5.8: Network - Firewall
• Delete already inserted rules
• Order: Interface to order all the rules that exist in the firewall (Figure 5.12).
This option is particularly important when new rules are created. Because the first rules the firewall does the matching will be the first to use. Then, more specific rules should be at the top and general should be at the bottom.
You can insert three types of rules:
• DNAT Rule: Redirects the traffic that comes to a port to another port/machine of the internal network. That rule here is only for TCP traffic (example at Figure 5.11);
• Disable machine access: It defines the denial of access to a port of defined network machine (example at Figure 5.10);
• General settings: Here you can add a completaly personalized rule (ex-ample at Figure 5.9). These are the affected fields:
– Rule:
INPUT: Data received by the firewall that aim the recipient interface no matter their origin;
OUTPUT: Data sent by the firewall;
FORWARD: Redirects traffic from an interface to another;
PREROUTING: Is used to change IP packets arriving to the machine before the routing decision;
POSTROUTING: Is used to change IP packets arriving to the machine after the routing decision;
– Interface: You should choose which interface to apply the rule;
– Protocol: Protocol(s) to which you want to apply the rule;
– Module: Shows the list of iptables modems available for use;
– Source Ip: Source IP Address of the packet;
– Origin port: Source port of the packet;
– Destination IP: Destination IP address of the packet;
– Destination port: Destination port of the packet;
– Identifier: 16 bits field that exists in the original IP packet - it is used to identify the type of packet to filter. Examples:
! --syn
--state INVALID
--icmp-type echo-request – Politics:
ACCEPT: To accept a packet and let it pass the firewall rules;
DELETE: Doesn’t accept the packet and eliminates it;
MARK: Saves a mark in the packet. These marks can be used to make decisions at the forwarding level;
LOG: Saves a log of every packet that folows the rule.
– If the PREROUTING rule is used, there are the following extra policies:
REDIRECT: Used to redirect the traffic arriving from a port to another port;
DNAT: it allows to redirect the traffic arriving at a certain port to another machine and port belonging to the internal network
– If the POSTROUTING rule is used, there are the following extra poli-cies:
MASQUERADE: It allows to ’mask’ the traffic
SNAT: It allows to redirect the traffic generated in a certain port to another machine and port.
TCPMSS: It changes the MSS field (maximum packet size) from the TCP header. It just can be used to TCP SYN or SYN/ACK packets because is just used in the beginning of conections.
The rules that are defined by default can’t be eliminated, but can be deacti-vated by clicking in the state of the rule and change the Deactivate option.
5.2 Network 171
Figure 5.9: Network - Firewall - General settings rule
Body
At body there’s a list of all the rules controled by the user (Figure 5.8). A rule can be switched between enabled and disable state. To eliminate rules is necessary to click Delete, select the rule or rules that you want to remove and click the button Delete. The rules defined by default cannot be deleted, however they can be deactivated, all you have to do is click the state of the rule and change the option to disable.