Set high availability firewalls on Linux for iSeries®

Set high availability firewalls on Linux for iSeries®

English original

content:

Introduction HeartBeat Introduction HeartBeat Installation and Settings Creating a Firewall Service Creating a Firewall Startup and Stop Scripting

In the Linux area:

Tutorial Tools & Product Codes & Component Articles

Brett Leesel

In October 2002 Introduction For a long time, Linux running on the PC has been recognized as a cheap and secure firewall solution for home networks. Since Linux can run on the iSeries server, iSeries customers have a lot of opportunities to use Linux firewalls for their corporate network. However, there are two very important considerations when adding Linux firewalls on the iSeries server, considering your business: reliability and cost. This program will demonstrate how to set a linux firewall that is inexpensive on the iSeries server (because all software is completely free) and reliable (due to automatic failover function in a few seconds). The figure below shows the settings of the scenario.

HeartBeat Introduction For companies, network failures will seriously affect the company's image and affect employee productivity. For example, customers will be frustrated when trying to access a website, may turn to competitors, or employees will not receive important emails. High availability is something necessary. Linux is originally provided in the kernel function. But the Linux kernel does not provide high availability functions for the firewall. This is where the open source community should be rescued. Quick Search on the Internet You will find high-availability linux project. High availability Linux project has developed a HeartBeat application. The source code of the application is open and can be used free of charge. HeartBeat provides high availability with master / backup models and processes the following features: Start and stop the necessary services, monitor the nodes in the cluster and IP address take over. HeartBeat processes all Linux services, allowing the firewall to be highly available, you only need to write the service script of the Linux firewall. We will discuss this step in the "Create Firewall Service" section. The first step in the HeartBeat installation and setting is to install and configure two Linux partitions on the iSeries server. If two Linux partitions are not installed and configured on the iSeries server, refer to IBM (R) Red Book "Linux On The IBM iSeries Server: An Implementation Guide" to obtain detailed instructions. This red book can be viewed online on the IBM RedBooks (TM) website. Next, you need to compile and install the HeartBeat application on each Linux partition. If you have a compiler necessary to build a source code, HeartBeat should be able to compile and install on any Linux distribution. This program uses SUSE Linux Enterprise Server (SLES) 7 for iSeries server distribution. First, download the HeartBeat source code from the high availability Linux project website. The version name downloaded for this program is HeartBeat.4.9.1-tar.gz. TAR and GZ extensions indicate that the package is generated with the Linux tar utility and compresses with the GZIP utility. To decompress the files in the package, issue TAR -ZXVF HeartBeat.4.9.1.tar.gz. This will create a directory called HeartBeat.4.9.1. Change the current directory to a new HeartBeat folder by using the command CD HeartBeat.4.9.1. Then, compile and install the HeartBeat with a simple command Make Install. Now, in the /etc/init.d directory, there will be a script called HeartBeat. This script should be used to start, stop, restart, or check the status of HeartBeat. The syntax of this script is as follows: HeartBeat {start | Stop | Status | Restart} However, three configuration files must be created and placed in the /etc/ha.D directory before you can start HeartBeat. These three profiles are ha.cf, harsources, and authkeys. Below we will discuss these three profiles in more detail. First, there is a sample of each configuration file in the DOC directory of the unchecked HeartBeat source file. You can copy these three files to the /etc/ha.D directory by the following three commands: cp /path-to-heartbeat.4.9.1-folder/doc/ha.cf /etc/ha.D/

Cp /Path-to-heartbeat.4.9.1-folder/doc/hareesources /etc/ha.d/cp /path-to-heartbeat.4.9.1-folder/doc/AuthKeys /etc/ha.d/

Once these profiles are copied, edit the configuration in each file to be applied to the settings. Make sure the configuration file is the same for both Linux partitions. We will discuss the configuration used in this section in the following sections. Ha.cf The first configuration file is ha.cf, which includes general configuration information for the HeartBeat application. Below is a configuration line in the ha.cf used in this scheme: Keepalive 1 => This parameter specifies the second number of HeartBeat. In this scenario, every second, HeartBeat. DEADTIME 10 => This parameter specifies the time to wait for the host crash. Specify 10 indicates that the HeartBeat will start failover after the node stops responding for 10 seconds. InitDead 60 => This parameter specifies how long the time of the crash time should be started at first time. If HeartBeat starts while boot, this is important for starting time for the network. The initial crash time should be at least twice the time parameters of the dead time. UDPPORT 694 => This parameter specifies the port to use when sending a UDP HeartBeat package. UDP Eth2, Eth3 => This parameter specifies which (which) interfaces send HeartBeat. In this scenario, two iSeries servers virtual Ethernet LAN are fully dedicated to HeartBeat. This helps to reduce the load of the actual network between the nodes is extremely high and the network is extremely reliable. Node Linux1node Linux2 => Node parameters tell HeartBeat which systems are related to the cluster. The correctness of the node name is very important. To ensure that the node name is correct, use the command uname -n on the Linux partition and use the identical name that is displayed in Uname. The second profile of Harellces is Harellces. This file specifies which resources are part of the cluster, which node is primarily. The Harellces file of this program contains only one line: Linux1 10.0.0.1 192.168.105.11 Ha_firewall

The syntax of this line in the Haresources file is Node-name resource1 resource2 ... resourceen. In this scenario, the node name is Linux1, which specifies that the Linux1 node is the master node. As long as Linux1 is active, it will control any resource specified in this configuration file. Parameters 10.0.0.11, 192.168.105.11 and HA_FireWall represent IP address 10.0.0.1 and 192.168.105.11 and script ha_firewall is the resource of cluster. When the IP address is specified as a cluster resource, the HEARTBEAT provides the IP address between the nodes. No IP addresses specified in HareSources are configured as the IP address of any adapter on either node. When the HeartBeat application is started, it assigns the failover IP address to the appropriate node. This solution uses two failover IP addresses, so that in the iSeries server and untrusted networks, no matter which node is in resource control, the firewall has the same IP address. The last HeartBeat configuration file of Authkeys is Authkeys. This configuration file is used to determine what type of authentication will be used between nodes and what key is used for authentication. According to the high availability Linux project website, three certification algorithms can be used, which are CRC, MD5, and SHA1. The authentication algorithm you use depends on the security results you expect and the resultable processing capability. To get the lowest security and processing power, you can use the CRC. To get a little more processing power and security, you can use MD5. Finally, you can get the highest processing capability and security, you can use SHA1. The format of the Authkeys file is: Auth []

In this scenario, HeartBeat broadcasts on an iSeries server virtual Ethernet LAN. iSeries Server Virtual Ethernet LAN is dedicated to two Linux partitions. For this reason, it is safe enough to use CRC. However, in this program, it is considered for safety and reliability, using MD5: Auth 1

1 md5 this_is_my_md5_key

Obviously, for security, you should specify different things for the key. To use different algorithms, simply specify SHA1 instead of MD5. For the CRC algorithm, no key is required, so simply specify the CRC instead of MD5, and remove the key portion. The last important consideration for this profile is: HeartBeat requires the authkeys files to have strict permissions because it is important for security. In order to ensure that Authkeys has the right permissions, command ChMOD 600 Authkeys with root users. This sets the authority of AuthKeys so that it is only readable for root users. Creating a firewall service Haresources profile Specifying a Linux service named HA_FIREWALL as a cluster resource, so you must now create this service on two Linux partitions. Most Linux distributions are placed in the /etc/init.d directory in the /etc/init.d directory. However, the HeartBeat application does not access the service in the /etc/init.d directory, so make sure that HeartBeat can find the ha_firewall script, you must put it in the /etc/ha.d/Resource.d directory. For this scenario, the HA_FIREWALL service script is saved in the /etc/init.d directory to consistent with all Linux services. Then, place the symbolic link of the HA_FIREWALL script in the /etc/ha.d/resource.d directory. Once the HA_FIREWALL script is created, create the service's symbolic link with the command ln -s /etc/init.d/resource.d/ha_firewall. Now, there is a symbolic link to the script in the directory of the HA_FIREWALL script in HeartBeat. The symbolic link is only just a pointer to the actual script file. If it is the first time to write a Linux service script, view other scripts in the /etc/init.d directory to get examples of how to do. The firewall service script used in this solution on two Linux partitions is as follows: Code Disclaimer Information This document contains a programming example. IBM grants your unique copyright license to use all programming code examples, you can generate similar features that suggest your own specific needs based on these examples. All sample code provided by IBM is just for explanation. These examples have not been fully tested under all conditions. Therefore, IBM cannot guarantee or implies reliability, serviceability, or functionality of these programs. All programs included here are "according to status", without any form of guarantee. This declares exempts implicit guarantees for non-infringing, marketing, and applicable to a particular purpose. 1 # Script to Start The Ha FireWall

2 #

3

4 # include the /etc/rc.config file

5. /Etc/rc.config

6

7 #

8 # The echo return value for success (defined in /etc/rc.config).

9 #

10 return = $ rc_done

11

12 Case "$ 1" in

13 START)

14 / root / start_firewall

15 rc_status -v

16 ;;

17 STOP)

18 rc_status -v

19 / root / end_firewall

20;

21 Restart | RELOAD

22 $ ​​0 Stop $ {2 "$ 2"} && $ 0 start $ {2 "$ 2"}

23 RC_STATUS

twenty four ;;

25 status

26 iptables -n -l | grep 'chain input'> / tmp / output27 read output

28 RM -F / TMP / OUTPUT

29 Case "$ OTPUT" in

30 "Chain Input (Policy Drop)")

31 echo "firewall running."

32 rc_status -v

33 ;;

34 *

35 echo "firewall not running."

36 exit 0

37 ESAC

38 ;;

39 *)

40 echo "USAGE: $ 0 {start | stop | status)}"

41 exit 1

42 ESAC

The purpose of this script is to provide startup, stop, restart, and check the firewall state for HeartBeat. The top 10 lines are annotations and regular settings for Linux services. Chapter 12 is a CASE statement that checks the first parameter of the script (name $ 1) is Start, Stop, Restart or Reload, Status or anything else. If the parameter is not the desired parameter, the CASE statement will print out the script. If the script parameter starts, the ha_firewall script starts the firewall by calling the start_firewall script. To end the firewall, it calls the END_FIREWALL script. The ha_firewall script checks the firewall status by listing all firewall rules and check the DROP policy on the input chain. If the default policy is DROP, the script assumes that the firewall is running. The reason is the end_firewall script (we will discuss in the next section) clear all firewall rules and set the default policy of the input chain to Accept. Change the input policy to Accept is required, so that all information packs will not be discarded once all firewall rules are cleared. Create a firewall launch and stop script ha_firewall script call / root / start_firewall and / root / end_firewall These two scripts start and stop the firewall. Creating these scripts is not difficult, but some iptables knowledge are required. Linux uses the command iptables to configure the Linux firewall. To get more information about iptables, see the iptables website or using the command Man iptables in Linux. START_FIREWALL scripts Enable IP forwarding by loading the required modules, enabling IP forwarding and launching all firewall rules into the kernel. End_fireWall scripts end the firewall by removing all firewall rules (except for rules in the kernel). One of the remaining rules will drop all the traffic flows from the untrusted interface. All traffic must be discarded to the untrusted interface to ensure that the Linux partition does not have access to untrusted networks when the firewall is not running. This step ensures that the hot backup does not have access to the invisible network until it takes over the primary node. When booting, the primary node and backup nodes exist this same security vulnerability. For this reason, the end_firewall script should automatically run when booted. Please refer to a specific Linux distribution document to get information configured for the END_FIREWALL script to run during boot. There should be START_FIREWALL and END_FIREWALL scripts on each Linux partition, and the start_firewall script should contain exactly the same firewall rules on both Linux partitions. To help ensure that this is true, just create a start_firewall script on a Linux partition, copy it to another Linux partition, and then edit only different variables on the second system (such as IP address). The following sections include the start and end scripts used in this scenario, for reference only. This experience report does not provide comprehensive information about network security or firewall configuration, and does not recommend alternative to another solution. The sole purpose of the following scripts is to display example firewall rules using iptables and are only used as a gateway example. Code Disclaimer Information This document contains an example of programming. IBM grants your unique copyright license to use all programming code examples, you can generate similar features that suggest your own specific needs based on these examples. All sample code provided by IBM is just for explanation. These examples have not been fully tested under all conditions. Therefore, IBM cannot guarantee or implies reliability, serviceability, or functionality of these programs. All programs included here are "according to status", without any form of guarantee. This declares exempts implicit guarantees for non-infringing, marketing, and applicable to a particular purpose.

END_FIREWALL #! / bin / sh

Unsecure_ifc = "eth0"

Echo "Ending The FireWall ..."

#************************************************************ *****

# This script will clear out iptables and disable all

# Traffic on The Unsecure Interface But Still Allow

# Traffic on the Secure Interface for Remote Configuration

#hen no firewall is running.

#************************************************************ *****

#************************************************************ *****

# RESET The Default Policies on The Input, Forward, And

# Output chains

#************************************************************ *****

iptables -p input accept accept

iptables -p output accept accept

iptables -p forward accept

#************************************************************ *****

# Flush all the rules in the filter and nat tables

#************************************************************ *****

iptables -f

iptables -t nat -f

#************************************************************ *****

# Erase All Chains That Are Not The Default Chains

# (Input, Output, And Forward)

#************************************************************ *****

iptables -x

iptables -t nat -x

#************************************************************ *****

# Drop All Traffic Coming in or Going Out The

# unsecure interface

#************************************************************ *****

Iptables -a INPUT -I $ unsecure_ifc -j drop

iptables -a output -o $ unsecure_ifc -j drop

echo "done."

Code Disclaimer Information This document contains an example of programming. IBM grants your unique copyright license to use all programming code examples, you can generate similar features that suggest your own specific needs based on these examples. All sample code provided by IBM is just for explanation. These examples have not been fully tested under all conditions. Therefore, IBM cannot guarantee or implies reliability, serviceability, or functionality of these programs. All programs included here are "according to status", without any form of guarantee. This declares exempts implicit guarantees for non-infringing, marketing, and applicable to a particular purpose. START_FIREWALL

#! / bin / sh

Echo "Starting FireWall ..."

#************************************************************ ***** # Define Variables, Including The Secure Interface (Inside Interface)

# and the unsecure interface (Outside Interface).

#************************************************************ *****

INSIDE = "Eth1"

Outside = "eth0"

Heartbeat_ifc1 = "eth2"

Heartbeat_ifc2 = "eth3"

Loopback = "lo"

#N ip address this will be seen by clients

# on the untrusted network and can be used to

# Access to the iSeries Server.

Public_ip = "192.168.105.11"

#The iseries server private ip address

Private_ip = "10.0.0.11"

#************************************************************ *****

# Remove The ipchains module (if it is in the kernel) Since It Causes

# Problems with the iptables module.

#************************************************************ *****

RMMOD IPChains

#************************************************************ *****

# Insert Needed Modules for iptables and connection-tracking

# Note: this is not needediff ing the modules are Built INTO

# The kernel.

# Note: The Modules Are Located in

# /LIB/Modules/2.4.1/kernel/net/ipv4/netfilter

# replace the '2.4.1' with whatver kernel version you have

#************************************************************ *****

echo "Loading the needed modules ..."

# for general iptables

INSMOD IP_TABLES

# for general iptables rules

Insmod iptable_filter

# for connection tracking

INSMOD IP_CONNTRACK

# for connection tracking of ftp

Insmod ip_conntrack_ftp

# for doing snat and dnat

INSMOD iptable_nat

# for logging

INSMOD IPT_LOG

#************************************************************ *****

# Enable ip forwarding

#************************************************************ *****

Echo "Enabling IP Forwarding ..." echo "1"> / proc / sys / net / ipv4 / ip_forward

#************************************************************ *****

# Flush All Rules from the Kernel in Case The the are

# FireWall Rules Already loaded.

#************************************************************ *****

iptables -f

iptables -t nat -f

#************************************************************ *****

# Set default policies for the Input, Forward, And Output Chains

#************************************************************ *****

Echo "Loading All the rules ..."

iptables -p input drop

iptables -p forward Drop

iptables -p output drop

#************************************************************ *****

# Allow all traffic to and from loopback device

#************************************************************ *****

iptables -a input -i $ loopback -j acceptpt

iptables -a output -o $ loopback -j acceptpt

#************************************************************ *****

# Allow all udp Traffic on The Two Vlans

# Because That Is What THE HEARBEAT PACKETS USE for

# The heartbeat.

#************************************************************ *****

iptables -a input -i $ heartbeat_ifc1 -p udp -j accept

iptables -a output -o $ heartbeat_ifc1 -p udp -j accept

iptables -a input -i $ heartbeat_ifc2 -p udp -j accept

iptables -a output -o $ heartbeat_ifc2 -p UPD -J ACCEPT

#************************************************************ *****

# Perform Nat on All Packets Going to and from the iSeries

# Server. There Two Rules Will Change The Source

# Address (SNAT) ON All Traffic Coming from the iSeries

# Server and Will Change The Destination Address (DNAT)

# on all traffic going to the iSeries Server.

#************************************************************ *****

iptables -t nat -a postrol -o $ outside -s $ private_ip -j snat - to-source $ public_ip

iptables -t nat -a preording -i $ outside -d $ public_ip -j dnat

--to-destination $ private_ip

#************************************************************ *****

# Allow ports 80 and 443, for http traffic, going to

# The private ip address of the iSeries Server. WE

# Specify The Private IP Address Because The Packet

# Going to the public ip address will have been nat'd

# to the private ip address.

#************************************************************ *****

iptables -a forward -d $ private_ip -p tcp --dport 80 --sport 1024: 65535 -j

ACCEPT

iptables -a forward -d $ private_ip -p tcp --dport 443 --sport 1024: 65535 -j

ACCEPT

#************************************************************ *****

# Everything That Hasn't Matched Any Rules Above Will

# Be Logged Here. The log prefix is ​​optional and allows

# for an "eye catcher" when viewing the logs. iptables

# logs to the file / var / log / message.

#

#After logging, The Packets Will Get Dropped

# Because We set the default policy to drop.

#************************************************************ *****

iptables -ainput -j log --log-prefix '## Dropped ##'

iptables -a forward -j log --log-prefix '## Dropped ##'

iptables -a output -j log --log-prefix '## Dropped (output) ##'

echo "done."