This setup is interesting when you want to avoid SPOF on your firewall/gateway which are on top of your network architecture.
This article is about how to improve high availability on stateful firewalls using netfilter's conntrack synchronization. In a later article we will discuss on how to automatically remove static routes when a gateway is down (Gateway Fail Over Wan)
Need stateful mode¶
Stateful based firewalling is now used on most part of firewalling architectures. The stateful mode is based on keeping track of the network connections to make sysadmin's life better ;)
To view active conntrack and deal with it, you could install conntrack package. it will provide this kind of commands :
conntrack -S (Show statistics)
or
conntrack -L (List conntrack)
Stateful Syncing between nodes¶
In our use case, we need to synchronize network connections tracking on two firewalls nodes. This is ensured by a daemon called conntrackd
apt-get install conntrackd
Conntrackd, has three replication approaches, “no track”, “ft-fw” and “alarm”.
- no-track: use the best effort syncing tables and no control was made when tables are replicate.
- ft-fw: use reliable protocol to perform message tracking. So that sync error or corruption are permitted.
- alarm: Which allow to set syncing tables interval. This option require a lot of bandwhitch.
More information: http://conntrack-tools.netfilter.org/manual.html#sync
We choose ft-fw mode because it's ready for production environnement, more stable and it works well.
To use ft-fw, you could reuse example as your configuration and make some little changes, as your network addresses.
zcat /usr/share/doc/conntrackd/examples/sync/ftfw/conntrackd.conf.gz > /etc/conntrackd/conntrackd.conf
Conntrackd, should start as daemon at boot starting, so we define this by init scripts and /etc/default/conntrackd in Debian.
Iptables Rules¶
As you drop all undesired traffic, we need to add some rules to allow traffic came from conntrackd on both nodes:
# ------------------------- Conntrack
iptables -A INPUT -p udp -i $IFCONN -d 225.0.0.50/32 --dport 3780 -j ACCEPT
iptables -A INPUT -p udp -i $IFCONN -s $IPCONN --dport 694 -j ACCEPT
Check your synchronisation¶
As your configuration should work without any problem, now we could play with the daemons.
Conntrackd, provide commands that they works like a client/server. So we can ask conntrackd by cli commands to know cache / statistics /etc...
Here are some examples :
To show tables which are synchronised , we could use this commands. See external cache (cache which is on gw02 was synchronised to gw01):
root@gw02:~# conntrackd -e
See internal cache :
root@gw02:~# conntrackd -i
You can compare results and counting them :
root@gw02:~# conntrackd -e | wc -l
root@gw02:~# 325
root@gw01:~# conntrackd -i | wc -l
root@gw02:~# 328
And show more statistics :
conntrackd -s
As you can see, ft-fw is asynchronous. Our setup is “Active-Backup”. You can sync mannually for fun:
root@gw02:~# conntrackd -n
Conntrackd, provide Active-Active setup but it's still in asymmetric mode. For more information you can read the manual : http://conntrack-tools.netfilter.org/manual.html#sync-aa