Build a Better Firewall-Linux HA Firewall Tutorial

Tired of maintaining your expensive commercial firewalls? Check out how combining Firewall Builder with a Linux HA firewall pair can provide a big solution at a low price.

Many enterprise networks require redundant HA (High Availability) infrastructure for key systems like network firewalls. This article demonstrates how you can use a combination of open-source packages to build and manage a Linux-based HA firewall pair that includes support for many of the advanced features commonly found in commercial firewalls.

The collection of open-source packages that I use to create the HA firewall in this article are iptables, conntrackd, keepalived and Firewall Builder. The network diagram in Figure 1 shows the example environment that will be configured.

Figure 1. HA Diagram

The example uses a pair of servers running Ubuntu Server 10.10 that will be configured to run in an Active-Backup configuration. This means traffic will be going through only one firewall at any given time. More complex Active-Active solutions also are possible, but are beyond the scope of this article.

The conntrackd and keepalived packages are installed on both servers using apt-get. Since many commands require root privileges to run, the examples are shown using user root to help keep things concise.

Conntrackd Overview and Configuration

Conntrackd is a dæmon developed by the project, the same organization that develops iptables. Conntrackd synchronizes the state of active connections between two or more firewalls running iptables.

In an Active-Backup configuration, like the example in this article, each time a connection is allowed through the active firewall, information about this connection is sent to the backup firewall. In the event of a failover, the backup firewall already will have information about the active allowed connections, so that existing connections do not have to be re-established after the failover occurs.

The example here is based on one of the example configuration files that comes with conntrackd. This configuration uses the FTFW reliable protocol to synchronize the connection data between the firewalls. There is also a script called that provides integration between keepalived and conntrackd. For Ubuntu, these example files are located in the /usr/share/doc/conntrackd/examples/sync/ directory.

Run the commands listed below to copy the sample config file and failover script to the default directory for conntrackd, /etc/conntrackd/conntrackd.conf:

root@lj-fw-1:/# cd /usr/share/doc/conntrackd/examples/sync
root@lj-fw-1:/# gunzip ftfw/conntrackd.conf.gz
root@lj-fw-1:/# cp ftfw/conntrackd.conf /etc/conntrackd/
root@lj-fw-1:/# cp /etc/conntrackd

Open the /etc/conntrackd/conntrackd.conf file for editing, and find the section in the file called Multicast. Edit the default values in this section to match the example network environment shown in Figure 1.

Multicast {
  IPv4_interface # IP of eth2 interface, 
                               # used for conntrackd synch
  Interface eth2
  Group 3780

Next, find the section at the bottom of the configuration file called IgnoreTrafficFor and edit the default values in this section to match the example network environment:

IgnoreTrafficFor {
  IPv4_address # loopback
  IPv4_address # eth0 interface IP
  IPv4_address # eth1 interface IP
  IPv4_address # eth2 interface IP

Repeat the same process for the lj-fw-2 server, making sure to use the correct interface IP addresses for the lj-fw-2 server.

When the package is installed, an /etc/init.d/conntrackd script is created. To test the configuration, start conntrackd and then run the status command to verify it is running properly (note: conntrackd needs to be started on both the lj-fw-1 and lj-fw-2 firewalls):

root@lj-fw-1:/# /etc/init.d/conntrackd start
root@lj-fw-1:/# conntrackd -s
cache internal:
current active connections:            1



Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Hi, if i set in my policy a

LukeLuke1979's picture

if i set in my policy a NAT or route, the fwbuilder (compile and install process) set in auto the new routing entry and create the virtual ip address for the NAT ?

And when the active node switch, will be removed this ip addresses in auto ?