• Advertisement
Preserving the Apple IIGS

Raspberry Pi - High available firewall setup

Mini computers based on the ARM architecture. Articles posted in "Vendor - Model - Subject" format.

Raspberry Pi - High available firewall setup

Postby lmmtux » Thu Mar 20, 2014 10:29 am

The Raspberri Pi is powerful enough to function as a firewall or router. This article focuses on setting up two Raspberri Pi computers in tandem to function as a high available firewall (a single failure of one Raspberri Pi can be tolerated with no downtime). Note: Basic GNU/Linux knowledge will probably be needed to perform a majority of the tasks contained in this article. We try to provide additional information where possible.

Goals:

  1. Provide a high available (HA) firewall setup with two nodes (if one node fails, the other will take over). In this case, an active-standy configuration is used.
  2. Reduce electrical costs of running the equipment 24x7x365. The Raspberri Pi uses about 5 watts of electricity which is miniscule compared to standard servers.
  3. Learn more about setting up Linux HA with redundant virtual Ethernet devices.
  4. Reduce hardware costs of high-end equipment and software. The Raspberry Pi costs a fraction of higher end hardware.

raspi_firewalls.jpg
raspi_firewalls.jpg (32.28 KiB) Viewed 3973 times


Operational Overview:

  • Both firewalls run in Active/Standby mode (i.e. the primary firewall does most of the work, but if it fails the standby firewall takes over).
  • Both firewalls share the same IP for the local network gateway, as well as any public IPs needed for inbound services using the Keepalived service.
  • Both firewalls will handle additional services for the local network:
    • NTP time sync service
    • DNS with caching
    • DHCP
    • Traffic graphing
  • Nightly reports will be emailed with notable log entries with logwatch.
  • Linux distribution used is RedSleeve, which is the CentOS / Red Hat Enterprise variant for the Pi.


Necessary Supplies:

Two of each item below are needed for a full HA setup:

  • Raspberry Pi kit with case and power supply
  • SD card (we used a Transcend 16 GB class 10, but you really only need at least a 2 GB card. Keep in mind larger cards have more surface area for better wear leveling).
  • 10/100 ethernet adapter (Plugable 10/100 USB 2.0 adapter)

One of each item below is needed:
  • 10/100 ethernet switch (5-port)
  • A block of at least 3 public IP addresses for a redundant setup.


Setup Steps:

The steps below require basic GNU/Linux knowledge. For the commands shown, I recommend opening a root shell and issuing the commands in it.

  1. Install RedSleeve on the Pi. Rather than repeating documentation that is already out there, follow the steps to get your Pi up and running with the RedSleeve Wiki Raspberry Pi installation page.
  2. Edit the file "/etc/hosts" with your server name and IP address, i.e. "10.0.0.1 mypi.localdomain".
  3. Set up NTPd for the local time service:
    • Edit the file "/etc/ntp.conf" and add lines just above “server 0.rhel.pool.ntp.org” for your favorite time servers. Public time servers can be found online.
    • Uncomment the line below per your local LAN to allow access to this time server:
      Code: Select all
      restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
    Note: Modify the network numbering for "192.168.0.0" per your local network.
  4. Disable the IPV6 protocol (optional):
    • Create a file “/etc/blacklist-ipv6.conf” in “/etc/modprobe.d”, and put in the following lines:
      Code: Select all
      install ipv6 /bin/true
      blacklist ipv6

      Edit the file "/etc/sysconfig/network" and add the line:
      Code: Select all
      NETWORKING_IPV6=no
  5. Install these additional packages with the yum utility (run “yum install {packagename} {packagename2} ...)”
    • nano
    • cron
    • bind-chroot
    • rsync
    • system-config-network-tui
    • system-config-firewall-tui
    • logwatch
    • sendmail
    • httpd
    • dhcp
    • net-snmp
    • net-snmp-utils
    • mrtg
  6. Install the EPEL repo:
    • Create and edit the file "/etc/yum.repos.d/epel.repo", and add these lines:
      Code: Select all
      [epel]
      name=epel
      baseurl=http://www.mirrorservice.org/sites/ftp.redsleeve.org/pub/yum/epel/RPMS/
      enabled=0
      gpgcheck=0
  7. Edit the file "/etc/aliases" and set root to forward to you email address (this is where all default reports go). Run “newaliases” to rebuild the aliases file and enable the change above.
  8. Edit the file "/etc/dhcpd.conf" and set up options for your local LAN. Split your DHCP scope 80/20 or 50/50, etc. On the first Pi, put in the first scope section, and later on put in the second scope section on the second Pi. Do not put the same scope on both Pis. For example, you could use the DHCP scope of "192.168.0.100 - 192.168.0.149" on the first Pi, and "192.168.0.150 - 192.168.0.200" on the second one.
  9. Configure Bind (named) for DNS resolution on your local network:
    • Edit the file "/var/named/chroot/etc/named.conf", and edit the sections below to allow queries from the local network. It should look similar to this:
      Code: Select all
      options {
              allow-query {
              192.168.0.0/24;
              127.0.0.1;
      };
      // listen on internal interface only
      listen-on {
              192.168.0.20;
              127.0.0.1;
      };

      Note: Substitute values for your local network for the IP addresses above.
  10. Install the second Ethernet interface for the public network (the Plugable 10/100 adapter or other compatible USB adapter of your choice). In a root shell, do the following:
    • cd (change directory) to "/etc/sysconfig/network-scripts", and copy the file ifcfg-eth0 to ifcfg-eth1 with the copy command:
      Code: Select all
      cp ifcfg-eth0 ifcfg-eth1
    • Edit the file "ifcfg-eth1" and put in its own settings, including the unique public IP address ({public_ip_1} as shown in the diagram above). Each Pi must have its own unique public IP address.
    • Issue a “service network restart” command to activate the changes.
    • Ping the public IP to make sure the second Ethernet interface is active.
  11. Enable IP forwarding in the kernel:
    • Edit the file /etc/sysctl.conf and change the line:
      Code: Select all
      net.ipv4.ip_forward = 1
    • Run this command to enable the change above:
      Code: Select all
      sysctl -p /etc/sysctl.conf
  12. Optional: Increase the limit for iptables ipt_recent module (this can be used for doing efficient connection throttling to help prevent ddos attacks):
    • Edit the file "/etc/rc.d/rc.local" and add the line to activate the ipt_recent module on boot with a total of 100 memorized connections:
      Code: Select all
      modprobe xt_recent ip_pkt_list_tot=100
  13. Install and set up Keepalived
    • Install keepalived with the command “yum --enablerepo-epel install keepalived”.
    • Edit the file "/etc/keepalived/keepalived.conf". Further documentation on this file can be found on the Keepalive website or by reading the man page for keepalived.
    • An example of the keepalived.conf file for the first Pi (the master node):
      Code: Select all
      ! Configuration File for keepalived
      global_defs {
        notification_email {
        root@localhost
        }
       notification_email_from keepalived@fw1.localdomain
       smtp_server 127.0.0.1
       smtp_connect_timeout 30
      }
      vrrp_sync_group {
       group {
        fw-cluster-eth0
        fw-cluster-eth1
       }
      }
      vrrp_instance fw-cluster-eth0 {
       state MASTER
       interface eth0
       virtual_router_id 20
       priority 100
       smtp_alert
       virtual_ipaddress {
        192.168.0.1/24 brd 192.168.0.255 dev eth0
       }
      }
      vrrp_instance fw-cluster-eth1 {
       state MASTER
       interface eth1
       virtual_router_id 30
       priority 100
       smtp_alert
       virtual_ipaddress {
        {public_ip_3}/{public_netmask_1} brd {broadcast} dev eth1
        {public_ip_4}/{public_netmask_2} brd {broadcast} dev eth1
       }
      }
    • An example of the keepalived.conf file for the second Pi (the slave node):
      Code: Select all
      ! Configuration File for keepalived
      global_defs {
        notification_email {
        root@localhost
        }
       notification_email_from keepalived@fw2.localdomain
       smtp_server 127.0.0.1
       smtp_connect_timeout 30
      }
      vrrp_sync_group {
       group {
        fw-cluster-eth0
        fw-cluster-eth1
       }
      }
      vrrp_instance fw-cluster-eth0 {
       state BACKUP
       interface eth0
       virtual_router_id 20
       priority 50
       smtp_alert
       virtual_ipaddress {
        192.168.0.1/24 brd 192.168.0.255 dev eth0
       }
      }
      vrrp_instance fw-cluster-eth1 {
       state BACKUP
       interface eth1
       virtual_router_id 30
       priority 50
       smtp_alert
       virtual_ipaddress {
        {public_ip_3}/{public_netmask_1} brd {broadcast} dev eth1
        {public_ip_4}/{public_netmask_2} brd {broadcast} dev eth1
       }
      }
    • Be sure to substitute your own values in for:
      • {public_ip_1} {broadcast}
      • {public_ip_2} {broadcast}
      • {public_ip_3} {broadcast}
      • {public_ip_4} {broadcast}
      • Private subnet (192.168.0.1/24 used in the example).
    • This configuration will also send email alerts to root@localhost which should forward to your local administrator as done in the previous step for the "/etc/aliases" file. Alerts will be sent when the state of either firewall changes (i.e. master goes offline and the slave takes over as master).
  14. Optional: Install and configure MRTG and its dependencies for traffic graphing.
    • Configure Apache, which is used to publish the MRTG traffic graphs.
      • Edit the file "/etc/httpd/conf/httpd.conf" and edit the “ServerName” line with the host name of your firewall (in the example, "fw1.localdomain", etc.).
    • Configure SNMP (for MRTG to gather its statistics of the network interfaces)
      • A very good tutorial for setting up SNMP on Red Hat based systems can be found here (which applies to RedSleeve): http://www.cyberciti.biz/nixcraft/linux/docs/uniqlinuxfeatures/mrtg/mrtg_config_step_3.php. Steps from this tutorial are included below for ease and simplicity.
      • Run the "snmpwalk" command to verify that interfaces show up:
        Code: Select all
        snmpwalk -v 1 -c public localhost IP-MIB::ipAdEntIfIndex

        The output should look similar to this (but show your defined interfaces):
        Code: Select all
        ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.127.0.0.1 = 1
        ip.ipAddrTable.ipAddrEntry.ipAdEntIfIndex.192.168.0.3 = 2
      • If you see your IP addresses above, then you are finished with the SNMP configuration. Otherwise proceed below to set up SNMP and attempt the test above when completed.
      • Edit the file "/etc/snmp/snmpd.conf" and make these changes:
        • Locate this line:
          Code: Select all
          com2sec notConfigUser  default       public

          Replace with these two lines (specify your network here):
          Code: Select all
          com2sec local     localhost           public
          com2sec mynetwork 192.168.0.0/24      public
        • Locate these lines:
          Code: Select all
          group   notConfigGroup v1           notConfigUser
          group   notConfigGroup v2c           notConfigUser

          Replace with these lines:
          Code: Select all
          group MyRWGroup v1         local
          group MyRWGroup v2c        local
          group MyRWGroup usm        local
          group MyROGroup v1         mynetwork
          group MyROGroup v2c        mynetwork
          group MyROGroup usm        mynetwork
        • Locate this line:
          Code: Select all
          view    systemview     included      system

          Replace with this line:
          Code: Select all
          view all    included  .1                               80
        • Locate this line:
          Code: Select all
          access  notConfigGroup ""      any       noauth    exact  systemview none none

          Replace with these lines:
          Code: Select all
          access MyROGroup ""      any       noauth    exact  all    none   none
          access MyRWGroup ""      any       noauth    exact  all    all    none
        • Locate these lines:
          Code: Select all
          syslocation Unknown (edit /etc/snmp/snmpd.conf)
          syscontact Root  (configure /etc/snmp/snmp.local.conf)

          Replace with these lines:
          Code: Select all
          syslocation Linux (RH3_UP2), Home Linux Router.
          syscontact YourNameHere <you@example.com>
      • You should now be able to start the snmpd service with the command "service snmpd start" and re-run the "snmpwalk" commands near the top to verify SNMP statistics are available for your network interfaces.
    • Install and configure MRTG to graph traffic through the firewall
      • Run this command to generate a MRTG configuration file:
        Code: Select all
        cfgmaker --output=/etc/mrtg/mrtg.cfg.new \
        -ifref=ip \
        --global 'Workdir: /var/www/mrtg/data' \
        --global 'Options[_]: growright,bits,unknaszero' \
        --global 'Weekformat[^]: V' \
        public@localhost
      • Double check the “mrtg.cfg.new” file generated above to make sure the devices in the file are accurate.
      • Create the MRTG data directory and initialize MRTG with these commands (run them in the order shown):
        Code: Select all
        mkdir -p /var/www/mrtg/data
        cd /etc/mrtg
        mv mrtg.cfg mrtg.cfg.original
        mv mrtg.cfg.new mrtg.cfg
        mrtg mrtg.cfg
        mrtg mrtg.cfg
        mrtg mrtg.cfg

        Note: you must run the last command three times as shown (until no errors are reported).
      • Create the HTML page with these commands (run them in the order shown):
        Code: Select all
        cd /var/www/mrtg
        mv index.html index_mrtg.html
        indexmaker --output=/var/www/mrtg/index.html --columns=1 --autoprefix /etc/mrtg/mrtg.cfg
      • Edit the file "/etc/httpd/conf.d/mrtg.conf" and add a line to allow local LAN access to the web page:
        Code: Select all
        Allow from 192.168.0

        Note: use your local LAN IP scheme.
  15. Set the core services to start with the “ntsysv” utility:
    Disable these services:
    • netfs
    • ip6tables
    Enable these services:
    • named
    • crond
    • httpd
    • sendmail
    • keepalived
    • iptables
  16. Configure iptables.
    • The rules are usually stored in the file "/etc/sysconfig/iptables", and are executed by the “iptables” service. By default, you can run the “system-config-firewall-tui” utility to set up the basic firewall operation (set eth0 to a “trusted interface”), share the Internet via the local Ethernet interface (eth0) and automatically write the rules file. However I’ve found it necessary to edit this file by hand and add extra inbound forwarding rules. An example of a port forwarding rule with throttling is below (to help against brute force attacks). This should provide a basic template for creating rules for additional services. Once you edit this file by hand however, do NOT run the “system-config-firewall-tui” program as it will overwrite your changes and put the default configuration back in. Each time you edit the file, simply issue the command “service iptables restart” to re-read the iptables file. Existing connections will stay up as it only refreshes the rules and does not affect connectivity.
    • Inbound connections for publishing services to the Internet (sample rules for the "forwarding" section of the "/etc/sysconfig/iptables" file):
      Code: Select all
      #Forward DNS traffic with throttling and logging - rules must be in this order with appending
      -A FORWARD -p udp -m udp -d {internal_ip}/32 --dport 53 -m recent --update --seconds 300 --hitcount 40 --name DNS1THROTTLE --rsource -j LOG
      -A FORWARD -p udp -m udp -d {internal_ip}/32 --dport 53 -m recent --update --seconds 300 --hitcount 40 --name DNS1THROTTLE --rsource -j DROP
      -A FORWARD -p udp -m udp -d {internal_ip}/32 --dport 53 -m recent --set --name DNS1THROTTLE --rsource -j ACCEPT
      -A FORWARD -p tcp -m tcp -d {internal_ip}/32 --dport 53 -m recent --update --seconds 300 --hitcount 40 --name DNS1THROTTLE2 --rsource -j LOG
      -A FORWARD -p tcp -m tcp -d {internal_ip}/32 --dport 53 -m recent --update --seconds 300 --hitcount 40 --name DNS1THROTTLE2 --rsource -j DROP
      -A FORWARD -p tcp -m tcp -d {internal_ip}/32 --dport 53 -m recent --set --name DNS1THROTTLE2 --rsource -j ACCEPT
    • Additional rules for the above example to be under the "pre-routing" section of the "/etc/sysconfig/iptables" file:
      Code: Select all
      #Forward DNS traffic
      -A PREROUTING -p tcp -d {public_ip}/32 --dport 53 -j DNAT --to-destination {internal_ip}:53
      -A PREROUTING -p udp -d {public_ip}/32 --dport 53 -j DNAT --to-destination {internal_ip}:53
    • Additional notes on these examples:
      • The example above will forward incoming DNS connections for a DNS server. If an IP requests more than about 5 queries within a 5 minute period (300 seconds), subsequent connections will be dropped for up to 5 additional minutes. Once no connections are received for a 5 minute window, the counter will reset to zero and connections will be allowed again.
      • For more information, be sure to read on the iptables ipt_recent module.
      • The “logwatch” service will run nightly and send an email report with the iptables section showing IPs that match the rules above. In this example it will show those IPs making a high number of connections to the DNS port (possible brute force or DNS poisoning attempt).
      • Set up other services to be published on the Internet using these rules as a template, that you wish to enable throttling for. POP3, IMAP, FTP are some good examples.
  17. Repeat this list steps above for the second Pi (I have noted when to use settings on the first and second Pi). Be sure to pay careful attention to the IP address assigned to the eth0 and eth1 devices, and the keepalived.conf file (Keepalived configuration), and any additional settings that must be unique on each Pi firewall box. The IPs on these physical devices must be unique and exist on the subnet that each device is attached to. The Keepalive configuration is also unique on each Pi.
lmmtux
 
Posts: 55
Joined: Mon Jul 30, 2012 9:40 pm
Reputation: 0

Return to ARM Mini Computers

cron