Build a Better Firewall-Linux HA Firewall Tutorial

Tired of maintaining your expensive commercial firewalls? Check out how combining Firewall Builder with a Linux HA firewall pair can provide a big solution at a low price.

Many enterprise networks require redundant HA (High Availability) infrastructure for key systems like network firewalls. This article demonstrates how you can use a combination of open-source packages to build and manage a Linux-based HA firewall pair that includes support for many of the advanced features commonly found in commercial firewalls.

The collection of open-source packages that I use to create the HA firewall in this article are iptables, conntrackd, keepalived and Firewall Builder. The network diagram in Figure 1 shows the example environment that will be configured.

Figure 1. HA Diagram

The example uses a pair of servers running Ubuntu Server 10.10 that will be configured to run in an Active-Backup configuration. This means traffic will be going through only one firewall at any given time. More complex Active-Active solutions also are possible, but are beyond the scope of this article.

The conntrackd and keepalived packages are installed on both servers using apt-get. Since many commands require root privileges to run, the examples are shown using user root to help keep things concise.

Conntrackd Overview and Configuration

Conntrackd is a dæmon developed by the netfilter.org project, the same organization that develops iptables. Conntrackd synchronizes the state of active connections between two or more firewalls running iptables.

In an Active-Backup configuration, like the example in this article, each time a connection is allowed through the active firewall, information about this connection is sent to the backup firewall. In the event of a failover, the backup firewall already will have information about the active allowed connections, so that existing connections do not have to be re-established after the failover occurs.

The example here is based on one of the example configuration files that comes with conntrackd. This configuration uses the FTFW reliable protocol to synchronize the connection data between the firewalls. There is also a script called primary-backup.sh that provides integration between keepalived and conntrackd. For Ubuntu, these example files are located in the /usr/share/doc/conntrackd/examples/sync/ directory.

Run the commands listed below to copy the sample config file and failover script to the default directory for conntrackd, /etc/conntrackd/conntrackd.conf:

root@lj-fw-1:/# cd /usr/share/doc/conntrackd/examples/sync
root@lj-fw-1:/# gunzip ftfw/conntrackd.conf.gz
root@lj-fw-1:/# cp ftfw/conntrackd.conf /etc/conntrackd/
root@lj-fw-1:/# cp primary-backup.sh /etc/conntrackd

Open the /etc/conntrackd/conntrackd.conf file for editing, and find the section in the file called Multicast. Edit the default values in this section to match the example network environment shown in Figure 1.

Multicast {
  IPv4_address 225.0.0.50
  IPv4_interface 192.168.100.2 # IP of eth2 interface, 
                               # used for conntrackd synch
  Interface eth2
  Group 3780

Next, find the section at the bottom of the configuration file called IgnoreTrafficFor and edit the default values in this section to match the example network environment:

IgnoreTrafficFor {
  IPv4_address 127.0.0.1 # loopback
  IPv4_address 192.168.1.2 # eth0 interface IP
  IPv4_address 10.1.1.2 # eth1 interface IP
  IPv4_address 192.168.100.2 # eth2 interface IP
}

Repeat the same process for the lj-fw-2 server, making sure to use the correct interface IP addresses for the lj-fw-2 server.

When the package is installed, an /etc/init.d/conntrackd script is created. To test the configuration, start conntrackd and then run the status command to verify it is running properly (note: conntrackd needs to be started on both the lj-fw-1 and lj-fw-2 firewalls):

root@lj-fw-1:/# /etc/init.d/conntrackd start
root@lj-fw-1:/# conntrackd -s
cache internal:
current active connections:            1

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, if i set in my policy a

LukeLuke1979's picture

Hi,
if i set in my policy a NAT or route, the fwbuilder (compile and install process) set in auto the new routing entry and create the virtual ip address for the NAT ?

And when the active node switch, will be removed this ip addresses in auto ?

Thanks

Bye

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState