Tuesday, April 6, 2010

Deploy iptables Cluster using Fwbuilder and Heartbeat

I/Intro

As We know fwbuilder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. Both professional network administrators and hobbyists managing firewalls with policies more complex that is allowed by simple web based UI can simplify management tasks with the application. The program runs on Linux, FreeBSD, OpenBSD, Windows and Mac OS X and can manage both local and remote firewalls.

Firewall Builder is packaged with most Linux distributions. If the package is not available in the base distribution, it usually can be found in "extras". You need to install package that has supporting API library libfwbuilder and package fwbuilder that contains Firewall Builder GUI and policy compilers. You can use your favorite package management tool sucn as yum, apt-get or aptitude to find and install them. On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder. Now The new version comes with support for high availability firewall configurations, including heartbeat, vrrpd, keepalived, conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover configuration. It can generate configuration scripts to manage ip addresses, VLAN, bridge and bonding interfaces on the firewall. Drop-in support for OpenWRT firewall script is now available, as well as experimental integration with IPCOP firewall appliances. The GUI has supports undo/redo of unlimited depth and was generally streamlined and has many other improvements.you can prefer:http://www.fwbuilder.org/

2/Install

Step 1:config IP for 2 firewall as image


Step 2:install heartbeat

yum -y install heartbeat

yum -y install heartbeat# run again becaus of errors


Step 3:copy file configure default.It's necessary to do this on both systems

cp /usr/share/doc/heartbeat-2.1.3/authkeys /etc/ha.d/authkeys

cp /usr/share/doc/heartbeat-2.1.3/ ha.cf etc/ha.d/ha.cf

cp /usr/share/doc/heartbeat-2.1.3/haresources etc/ha.d/haresources


Step 4 :Edit /etc/ha.d/authkeys It's necessary to do this on both systems

auth 3

3 md5 123

Step 5:edit etc/ha.d/ha.cf.It's necessary to do this on both systems

keepalive 2 #line 52

deadtime 10 # line 60

mcast eth0 225.0.0.1 694 1 0 #line 117

mcast eth1 225.0.0.1 694 1 0 #line 118

node fw1.test.vn #add it in BOTTOM
node fw2.test.vn #add it in BOTTOM

step 6:edit etc/ha.d/haresources


fw1.test.vn IPaddr::192.168.10.145/24/eth0/192.168.10.255

fw1.test.vn IPaddr::172.16.1.3/16/eth1/172.16.255.255

Step 7:

authkeys should have permissions "0600", other files can have permissions "0644"

Step 8:

/etc/init.d/heartbeat start

Step 9:Install fwbuilder

#rpm -Uvh libfwbuilder*
#rpm -Uvh fwbuilder*

Step 10:

Create 2 fw as image in Fwbuilder

Step 11:


Step 12:

we can open udp port 694 and udp port 3780 in both fw

Step 13:

Create Nat and Policy for cluster (it created as fwbuilder stand alone)

Step 14:Test



shutdown fw1 test again


start fw1 test again






beside you can use vrrp,carp.... for cluster.

if you need file template for config .Please send mail to quan.hoa@conheotiensinh.co.cc.I Will send it to you


Thanks

http://conheotiensinh.blogspot.com/