Conntrackd

From UVOO Tech Wiki
Jump to navigation Jump to search

https://satishdotpatel.github.io/ha-with-keepalived-and-conntrackd/

Install conntrackd
$ apt-get install conntrackd
Primary fw-1 /etc/conntrackd/conntrackd.conf

Sync {
    Mode FTFW {
        DisableExternalCache Off
        CommitTimeout 180
        PurgeTimeout 5
    }

    UDP {
        # Dedicated link for connection replication
        IPv4_address 172.30.16.1
        IPv4_Destination_Address 172.30.16.2
        Port 3780
        Interface ens3
        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280
        Checksum on
    }
}

General {
    Systemd on
    Nice -20
    HashSize 32768
    HashLimit 131072
    LogFile on
    Syslog on
    NetlinkOverrunResync 5
    NetlinkEventsReliable on
    PollSecs 5
    EventIterationLimit 200
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    Filter From Userspace {
        Protocol Accept {
            TCP
            UDP
            ICMP # This requires a Linux kernel >= 2.6.31
        }
        Address Ignore {
            IPv4_address 127.0.0.1 # loopback
            IPv4_address 10.0.0.1
            IPv4_address 10.0.0.2
            IPv4_address 10.0.0.3
            IPv4_address 192.168.255.2
            IPv4_address 192.168.255.52
            IPv4_address 192.168.255.250
        }
    }
}
Standby fw-2 /etc/conntrackd/conntrackd.conf

Sync {
    Mode FTFW {
        DisableExternalCache Off
        CommitTimeout 180
        PurgeTimeout 5
    }

    UDP {
        # Dedicated link for connection replication
        IPv4_address 172.30.16.2
        IPv4_Destination_Address 172.30.16.1
        Port 3780
        Interface ens3
        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280
        Checksum on
    }
}

General {
    Systemd on
    Nice -10
    HashSize 32768
    HashLimit 131072
    LogFile on
    Syslog on
    NetlinkOverrunResync 5
    NetlinkEventsReliable on
    PollSecs 5
    EventIterationLimit 200
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
        Backlog 20
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    Filter From Userspace {
        Protocol Accept {
            TCP
            UDP
            ICMP # This requires a Linux kernel >= 2.6.31
        }
        Address Ignore {
            IPv4_address 127.0.0.1 # loopback
            IPv4_address 10.0.0.1
            IPv4_address 10.0.0.2
            IPv4_address 10.0.0.3
            IPv4_address 192.168.255.2
            IPv4_address 192.168.255.52
            IPv4_address 192.168.255.250
        }
    }
}
Copy primary-backup.sh script in /etc/conntrackd directory for keepalived on both servers.

$ cp /usr/share/doc/conntrackd/examples/sync/primary-backup.sh /etc/conntrackd/
$ chmod 755 /etc/conntrackd/primary-backup.sh
Start and Enable service

$ systemctl enable conntrackd
$ systemctl start conntrackd
Install Keepalived
$ apt-get install keepalived
Primary fw-1 keepalived configuration file.

vrrp_sync_group G1 {
    group {
        EXT
        INT
    }
    notify_master "/etc/conntrackd/primary-backup.sh primary"
    notify_backup "/etc/conntrackd/primary-backup.sh backup"
    notify_fault "/etc/conntrackd/primary-backup.sh fault"
}

vrrp_instance INT {
    state MASTER
    interface ens4
    virtual_router_id 11
    priority 50
    advert_int 1
    unicast_src_ip 10.0.0.1
    unicast_peer {
        10.0.0.2
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.3/24 dev ens4
    }
    nopreempt
    garp_master_delay 1
}

vrrp_instance EXT {
    state MASTER
    interface ens2
    virtual_router_id 22
    priority 50
    advert_int 1
    unicast_src_ip 192.168.255.11
    unicast_peer {
        192.168.255.22
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.255.250/24 dev ens2
    }
    nopreempt
    garp_master_delay 1
}
Standby fw-2 Keepalived configuration file.

vrrp_sync_group G1 {
    group {
        EXT
        INT
    }
    notify_master "/etc/conntrackd/primary-backup.sh primary"
    notify_backup "/etc/conntrackd/primary-backup.sh backup"
    notify_fault "/etc/conntrackd/primary-backup.sh fault"
}

vrrp_instance INT {
    state BACKUP
    interface ens4
    virtual_router_id 11
    priority 25
    advert_int 1
    unicast_src_ip 10.0.0.2
    unicast_peer {
        10.0.0.1
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        10.0.0.3/24 dev ens4
    }
    nopreempt
    garp_master_delay 1
}

vrrp_instance EXT {
    state BACKUP
    interface ens2
    virtual_router_id 22
    priority 25
    advert_int 1
    unicast_src_ip 192.168.255.22
    unicast_peer {
        192.168.255.11
    }
    authentication {
        auth_type PASS
        auth_pass 1111
    }
    virtual_ipaddress {
        192.168.255.250/24 dev ens2
    }
    nopreempt
    garp_master_delay 1
}
Ofcourse you need to enable ip_forwarding

$ sysctl -w net.ipv4.ip_forward=1
The host’s kernel needs to be configured to allow a process to bind to a non-local IP address

$ sysctl -w net.ipv4.ip_nonlocal_bind=1
Start and Enable service

$ systemctl enable keepalived
$ systemctl start keepalived
Verify Keepalived
If all good then you can see vip addresses on primary server

root@fw-1:~# ip -4 addr list ens2 | grep inet
    inet 192.168.255.11/24 brd 192.168.255.255 scope global ens2
    inet 192.168.255.250/24 scope global secondary ens2
root@fw-1:~# ip -4 addr list ens4 | grep inet
    inet 10.0.0.1/24 brd 10.0.0.255 scope global ens4
    inet 10.0.0.3/24 scope global secondary ens4
Verify conntrackd
conntrackd won’t work correctly until you configure “well-formed ruleset”, That means you need to configure iptables rules with connection tracking enabled, I am configuring some basic rules for example here. SNAT rule for internet access for LAN users.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A FORWARD -m state --state RELATED -j ACCEPT
-A FORWARD -i ens2 -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -i ens4 -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j ACCEPT
-A FORWARD -i ens4 -p tcp -m state --state ESTABLISHED -j ACCEPT
-A FORWARD -m state --state INVALID -j LOG --log-prefix "invalid: "
-A POSTROUTING -s 10.0.0.0/24 -o ens2 -j SNAT --to-source 192.168.255.250
If all well then you can see statistics using following command.

root@fw-1:~# conntrackd -s
cache internal:
current active connections:                4
connections created:                      32    failed:            0
connections updated:                   34335    failed:            0
connections destroyed:                    28    failed:            0

cache external:
current active connections:                6
connections created:                      48    failed:            0
connections updated:                   21721    failed:            0
connections destroyed:                    42    failed:            0

traffic processed:
                   0 Bytes                         0 Pckts

UDP traffic (active device=ens3):
             2550092 Bytes sent              1597636 Bytes recv
               35557 Pckts sent                35619 Pckts recv
                   0 Error send                    0 Error recv

message tracking:
                   0 Malformed msgs                    0 Lost msgs
Test connection replication/mirroring
I have LAN ip 10.0.0.10 which i will use to ssh 192.168.255.33 and then i will perform keepalived failover to see my ssh connection still active or not.

Lets check fw-1 conntrackd internal cache after ssh’ing

root@fw-1:~# conntrackd -i 
udp      17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 [active since 32395s]
udp      17 src=172.30.16.1 dst=172.30.16.2 sport=55473 dport=3780 [UNREPLIED] src=172.30.16.2 dst=172.30.16.1 sport=3780 dport=55473 mark=0 [active since 32395s]
udp      17 src=172.30.16.2 dst=172.30.16.1 sport=50651 dport=3780 [UNREPLIED] src=172.30.16.1 dst=172.30.16.2 sport=3780 dport=50651 mark=0 [active since 32395s]
tcp      6 ESTABLISHED src=10.0.0.10 dst=192.168.255.33 sport=48070 dport=22 src=192.168.255.33 dst=192.168.255.250 sport=22 dport=48070 [ASSURED] mark=0 [active since 46s]
Lets check fw-2 internal cache, if you have noticed it doesn’t have any connection info of SSH

root@fw-2:~# conntrackd -i
udp      17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 [active since 32788s]
udp      17 src=172.30.16.1 dst=172.30.16.2 sport=55473 dport=3780 [UNREPLIED] src=172.30.16.2 dst=172.30.16.1 sport=3780 dport=55473 mark=0 [active since 32798s]
udp      17 src=172.30.16.2 dst=172.30.16.1 sport=50651 dport=3780 [UNREPLIED] src=172.30.16.1 dst=172.30.16.2 sport=3780 dport=50651 mark=0 [active since 32798s]
Lets check fw-2 conntrackd external cache, As you can see connection information got replicated and sitting in external cache and as soon as failover trigger it will go to internal cache.

root@fw-2:~# conntrackd -e
udp      17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] mark=0 [active since 32533s]
udp      17 src=172.30.16.1 dst=172.30.16.2 sport=55473 dport=3780 [UNREPLIED] mark=0 [active since 32533s]
udp      17 src=172.30.16.2 dst=172.30.16.1 sport=50651 dport=3780 [UNREPLIED] mark=0 [active since 32533s]
tcp      6 ESTABLISHED src=10.0.0.10 dst=192.168.255.33 sport=48070 dport=22 [ASSURED] mark=0 [active since 185s]
Lets perform failover

root@fw-1:~# systemctl stop keepalived
Now check fw-2 internal cache again

root@fw-2:~# conntrackd -i
udp      17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67 [UNREPLIED] src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0 [active since 5s]
udp      17 src=172.30.16.1 dst=172.30.16.2 sport=55473 dport=3780 [UNREPLIED] src=172.30.16.2 dst=172.30.16.1 sport=3780 dport=55473 mark=0 [active since 5s]
udp      17 src=172.30.16.2 dst=172.30.16.1 sport=50651 dport=3780 [UNREPLIED] src=172.30.16.1 dst=172.30.16.2 sport=3780 dport=50651 mark=0 [active since 5s]
tcp      6 ESTABLISHED src=10.0.0.10 dst=192.168.255.33 sport=48070 dport=22 src=192.168.255.33 dst=192.168.255.250 sport=22 dp

Old

https://backreference.org/2013/04/03/firewall-ha-with-conntrackd-and-keepalived/index.html

https://serverfault.com/questions/1030236/when-does-iptables-conntrack-module-track-states-of-packets