Pablo Neira Ayuso

pablo@netfilter.org

2008-2011 Pablo Neira Ayuso Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". This document details how to install and configure the conntrack-tools >= 0.9.15. This software is under development, for that reason, it is likely that this document will evolve in the future to cover new features and changes. This document should be a kick-off point to install and configure the conntrack-tools. If you find any error or imprecision in this document, please send an email to the author, it will be appreciated. In this document, the author assumes that the reader is familiar with firewalling concepts and iptables in general. If this is not your case, I suggest you to read the iptables documentation before going ahead. Moreover, the reader must also understand the difference between stateful and stateless firewalls. If this is not your case, I strongly suggest you to read the article Netfilter's Connection Tracking System published in :login; the USENIX magazine. That document contains a general description that should help to clarify the concepts. If you do not fulfill the previous requirements, this documentation is likely to be a source of frustration. Probably, you wonder why I'm insisting on these prerequisites too much, the fact is that if your iptables rule-set is stateless, it is very likely that the conntrack-tools will not be of any help for you. You have been warned! The conntrack-tools are a set of free software tools for GNU/Linux that allow system administrators interact, from user-space, with the in-kernel Connection Tracking System, which is the module that enables stateful packet inspection for iptables. Probably, you did not hear about this module so far. However, if any of the rules of your rule-set use the state or ctstate iptables matches, you are indeed using it. The conntrack-tools package contains two programs: conntrack is command line interface conntrack provides a more flexible interface to the connnection tracking system than /proc/net/ip_conntrack. With conntrack, you can show, delete and update the existing state entries; and you can also listen to flow events. conntrackd is the user-space connection tracking daemon. This daemon can be used to deploy fault-tolerant GNU/Linux firewalls but you can also use it to collect flow-based statistics of the firewall use. Although the name of both tools is very similar - and you can blame me for that, I'm not a marketing guy - they are used for very different tasks. You have to install the following software in order to get the conntrack-tools working. Make sure that you have installed them correctly before going ahead: Linux kernel version >= 2.6.18 that, at least, has support for: Connection Tracking System. CONFIG_NF_CONNTRACK=m CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_IPV6=m (if your setup supports IPv6) nfnetlink: the generic messaging interface for Netfilter. CONFIG_NETFILTER_NETLINK=m nf_conntrack_netlink: the messaging interface for the Connection Tracking System. CONFIG_NF_CT_NETLINK=m connection tracking event notification API: the flow-based event notification interface. CONFIG_NF_CONNTRACK_EVENTS=y Make sure you have loaded nf_conntrack, nf_conntrack_ipv4 (if your setup also supports IPv6, nf_conntrack_ipv6) and nf_conntrack_netlink. libnfnetlink: the netfilter netlink library use the official release available in netfilter.org libnetfilter_conntrack: the netfilter netlink library use the official release available in netfilter.org To compile and install the conntrack-tools run the following commands: (non-root)$ tar xvjf conntrack-tools-x.x.x.tar.bz2 (non-root)$ cd conntrack-tools-x.x.x (non-root)$ ./configure --prefix=/usr (non-root)$ make (root) # make install If you are installing the libraries in /usr/local/, do not forget to do the following things: PKG_CONFIG_PATH=/usr/local/lib/pkgconfig; export PKG_CONFIG_PATH Add `/usr/local/lib' to your /etc/ld.so.conf file and run `ldconfig' Check `ldd' for trouble-shooting, read this for more information on how libraries work. To check that the modules are enabled in the kernel, run `conntrack -E' and generate traffic, you should see flow events reporting new connections and updates. The /proc/net/ip_conntrack interface is very limited as it only allows you to display the existing flows, their state and other information: # cat /proc/net/ip_conntrack tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 The command line tool conntrack can be used to display the same information: # conntrack -L tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 tcp 6 431698 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34849 dport=993 packets=244 bytes=18723 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34849 packets=203 bytes=144731 [ASSURED] mark=0 secmark=0 use=1 conntrack v0.9.7 (conntrack-tools): 2 flow entries have been shown. You can natively filter the output without using grep: # conntrack -L -p tcp --dport 34856 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=0 secmark=0 use=1 conntrack v0.9.7 (conntrack-tools): 1 flow entries have been shown. Update the mark based on a selection, this allows you to change the mark of an entry without using the CONNMARK target: # conntrack -U -p tcp --dport 3486 --mark 10 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 conntrack v0.9.7 (conntrack-tools): 1 flow entries has been updated. Delete one entry, this can be used to block traffic if: You have a stateful rule-set that blocks traffic in INVALID state. You have set /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose or /proc/sys/net/netfilter/nf_conntrack_tcp_loose, depending on your kernel version, to zero. # conntrack -D -p tcp --dport 3486 tcp 6 431982 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=34846 dport=993 packets=169 bytes=14322 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=34846 packets=113 bytes=34787 [ASSURED] mark=1 secmark=0 use=1 conntrack v0.9.7 (conntrack-tools): 1 flow entries has been deleted. Display the connection tracking events: # conntrack -E [NEW] udp 17 30 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 [UNREPLIED] src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 [UPDATE] udp 17 29 src=192.168.2.100 dst=192.168.2.1 sport=57767 dport=53 src=192.168.2.1 dst=192.168.2.100 sport=53 dport=57767 [NEW] tcp 6 120 SYN_SENT src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 [UNREPLIED] src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [UPDATE] tcp 6 60 SYN_RECV src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [UPDATE] tcp 6 432000 ESTABLISHED src=192.168.2.100 dst=66.102.9.104 sport=33379 dport=80 src=66.102.9.104 dst=192.168.2.100 sport=80 dport=33379 [ASSURED] You can also display the existing flows in XML format, filter the output based on the NAT handling applied, etc. The daemon conntrackd supports two working modes: State table synchronization: the daemon can be used to synchronize the connection tracking state table between several firewall replicas. This can be used to deploy fault-tolerant stateful firewalls. This is the main feature of the daemon. Flow-based statistics collection: the daemon can be used to collect flow-based statistics. This feature is similar to what ulogd-2.x provides. In order to get conntrackd working in synchronization mode, you have to fulfill the following requirements: A high availability manager like keepalived that manages the virtual IPs of the firewall cluster, detects errors, and decide when to migrate the virtual IPs from one firewall replica to another. Without it, conntrackd will not work appropriately. The state synchronization setup requires a working installation of keepalived, preferibly a recent version. Check if your distribution comes with a recent packaged version. Otherwise, you may compile it from the sources. There is a very simple example file in the conntrackd sources to setup a simple HA cluster with keepalived (see the file keepalived.conf under the doc/sync/ directory). This file can be used to set up a simple VRRP cluster composed of two machines that hold the virtual IPs 192.168.0.100 on eth0 and 192.168.1.100 on eth1. If you are not familiar with keepalived, please read the official documentation available at the keepalived website (http://www.keepalived.org). If you use a different high availability manager, make sure it works correctly before going ahead. A dedicated link. The dedicated link between the firewalls is used to transmit and receive the state information. The use of a dedicated link is mandatory for security reasons as someone may pick the state information that is transfered between the firewalls. A well-formed stateful rule-set. Otherwise you are likely to experience problems during the fail-over. An example of a well-formed stateful iptables rule-set is available in the conntrack-tools website. If your Linux kernel is < 2.6.22, you have to disable TCP window tracking: # echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal The daemon conntrackd in synchronization mode supports up to three replication approaches: notrack: this approach is the most simple as it is based on a best effort replication protocol, ie. unreliable protocol. This protocol sends and receives the state information without performing any specific checking. ft-fw: this approach is based on a reliable protocol that performs message tracking. Thus, the protocol can recover from message loss, re-ordering and corruption. alarm: this approach is spamming. It is based on a alarm-based protocol that periodically re-sends the flow state to the backup firewall replicas. This protocol consumes a lot of bandwidth but it resolves synchronization problems fast. The three existing approaches are soft real-time asynchronous replication protocols that are aimed to have negligible impact in terms of latency and bandwidth throughput in the stateful firewall filtering. To configure conntrackd in any of the existing synchronization modes, you have to copy the example configuration file to the directory /etc/conntrackd/ on every firewall replica. Note that _type_ is the synchronization type selected. (conntrack-tools-x.x.x)# cp doc/_type_/conntrackd.conf /etc/conntrackd/conntrackd.conf Do not forget to edit the files before going ahead. There are several parameters that you have to tune to adapt the example configuration file to your setup. If you don't want to put the config file under /etc/conntrackd/, just tell conntrackd where to find it passing the option -C. A good reading to extend the information about firewall architectures is Demystifying cluster-based fault-tolerant firewalls published in IEEE Internet Computing magazine. In the Active-Backup setup, one of the stateful firewall replicas filters traffic and the other acts as backup. If you use this approach, you have to copy the script primary-backup.sh to: (conntrack-tools-x.x.x)# cp doc/sync/primary-backup.sh /etc/conntrackd/ The HA manager invokes this script when a transition happens, ie. If a stateful firewall replica: becomes active to recover the filtering. becomes backup. hits failure (this is available if the HA manager has a failure state, which is true for keepalived. The script is simple, and it contains the different actions that conntrackd performs to recover the filtering or purge obsolete entries from the state table, among others. The script is commented, you can have a look at it if you need further information. The Active-Active setup consists of having more than one stateful firewall replicas actively filtering traffic. Thus, we reduce the resource waste that implies to have a backup firewall which does nothing. We can classify the type of Active-Active setups in several families: Symmetric path routing: The stateful firewall replicas share the workload in terms of flows, ie. the packets that are part of a flow are always filtered by the same firewall. Asymmetric multi-path routing: The packets that are part of a flow can be filtered by whatever stateful firewall in the cluster. Thus, every flow-states have to be propagated to all the firewalls in the cluster as we do not know which one would be the next to filter a packet. This setup goes against the design of stateful firewalls as we define the filtering policy based on flows, not in packets anymore. As for 0.9.8, the design of conntrackd allows you to deploy an symmetric Active-Active setup based on a static approach. For example, assume that you have two virtual IPs, vIP1 and vIP2, and two firewall replicas, FW1 and FW2. You can give the virtual vIP1 to the firewall FW1 and the vIP2 to the FW2. Unfortunately, you will have to wait for the support for the Active-Active setup based on dynamic approach, ie. a workload sharing setup without directors that allow the stateful firewall share the filtering. On the other hand, the asymmetric scenario may work if your setup fulfills several strong assumptions. However, in the opinion of the author of this work, the asymmetric setup goes against the design of stateful firewalls and conntrackd. Therefore, you have two choices here: you can deploy an Active-Backup setup or go back to your old stateless rule-set (in that case, the conntrack-tools will not be of any help anymore, of course). Once you have configured conntrackd, you can run in console mode which is an interactive mode, in that case type 'conntrackd' as root. (root)# conntrackd If you want to run conntrackd in daemon mode, then type: (root)# conntrackd -d You can verify that conntrackd is running by checking the log messages via ps. Moreover, if conntrackd is running fine, you can dump the current status of the daemon: # conntrackd -s cache internal: current active connections: 4 connections created: 4 failed: 0 connections updated: 0 failed: 0 connections destroyed: 0 failed: 0 cache external: current active connections: 0 connections created: 0 failed: 0 connections updated: 0 failed: 0 connections destroyed: 0 failed: 0 traffic processed: 0 Bytes 0 Pckts multicast traffic: 352 Bytes sent 0 Bytes recv 22 Pckts sent 0 Pckts recv 0 Error send 0 Error recv multicast sequence tracking: 0 Pckts mfrm 0 Pckts lost This command displays the number of entries in the internal and external cache: The internal cache contains the states that this firewall replica is filtering, ie. this is a cache of the kernel state table. The external cache contains the states that the other firewall replica is filtering. You can dump the internal cache with the following command: # conntrackd -i tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=58491 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=58491 [ASSURED] mark=0 secmark=0 [active since 536s] tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38211 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38211 [ASSURED] mark=0 secmark=0 [active since 536s] tcp 6 ESTABLISHED src=192.168.2.100 dst=123.59.27.117 sport=38209 dport=993 src=123.59.27.117 dst=192.168.2.100 sport=993 dport=38209 [ASSURED] mark=0 secmark=0 [active since 536s] tcp 6 TIME_WAIT src=192.168.2.100 dst=74.125.45.166 sport=42593 dport=80 src=74.125.45.166 dst=192.168.2.100 sport=80 dport=42593 [ASSURED] [active since 165s] tcp 6 ESTABLISHED src=192.168.2.100 dst=139.174.175.20 sport=37962 dport=993 src=139.174.175.20 dst=192.168.2.100 sport=993 dport=37962 [ASSURED] mark=0 secmark=0 [active since 536s] You can dump the external cache with the following command: # conntrackd -e If the replication works fine, conntrackd -s displays the active's internal cache should display the same number of entries than the backup's external cache and vice-versa. To verify that the recovery works fine, if you trigger a fail-over, the log files should display the following information: [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] committing external cache [Thu Sep 18 18:03:02 2008] (pid=9759) [notice] Committed 1545 new entries This means that the state entries have been injected into the kernel correctly. The daemon allows several configuration options that you may want to enable. This section contains some information about them. It is possible to disable the external cache. Thus, conntrackd directly injects the flow-states into the in-kernel Connection Tracking System of the backup firewall. You can do it by enabling the DisableExternalCache option in the conntrackd.conf configuration file: Sync { Mode FTFW { [...] DisableExternalCache Off } } You can also use this option with the NOTRACK and ALARM modes. This increases CPU consumption in the backup firewall but now you do not need to commit the flow-states during the master failures since they are already in the in-kernel Connection Tracking table. Moreover, you save memory in the backup firewall since you do not need to store the foreign flow-states anymore. You can also disable the internal cache by means of the DisableInternalCache option in the conntrackd.conf configuration file: Sync { Mode NOTRACK { [...] DisableInternalCache Off } } However, this option is only available for the NOTRACK mode. This mode provides unreliable flow-state synchronization between firewalls. Thus, if flow-states are lost during the synchronization, the protocol provides no way to recover them. You can use up to three different transport layer protocols to synchronize flow-state changes between the firewalls: UDP, TCP and Multicast. UDP and multicast are unreliable but together with the FT-FW mode provide partial reliable flow-state synchronization. The preferred choice is FT-FW over UDP, or multicast alternatively. TCP introduces latency in the flow-state synchronization due to the congestion control. Under flow-state message are lost, the FIFO delivery becomes also a problem since the backup firewall quickly gets out of sync. For that reason, its use is discouraged. Note that using TCP only makes sense with the NOTRACK mode. Problems with conntrackd? The following list of questions should help for troubleshooting: I see packets lost in conntrackd -s You can rise the value of McastRcvSocketBuffer and McastRcvSocketBuffer, if the problem is due to buffer overruns in the multicast sender or the receiver, the problem should disapear. The log messages report that the maximum netlink socket buffer has been reached. You can increase the values of SocketBufferSize and SocketBufferSizeMaxGrown. I see can't open multicast server in the log messages Make sure that the IPv4_interface clause has the IP of the dedicated link. Can I use wackamole, heartattack or any other HA manager? Absolutely, you can. But before reporting issues, make sure that your HA manager is not the source of the problems. Does conntrackd support TCP flow-recovery with window tracking enabled? Yes, but you require a Linux kernel >= 2.6.36 and the conntrack-tools >= 0.9.15. To enable it, check the TCPWindowTracking clause in the example configuration files. Does conntrackd support the H.323 and SIP connection tracking helpers? No. This is not implemented yet, sorry. If you are interested in sponsoring this support, please contact me.