Installing and Configuring the Virtual Router Redundancy Protocol (vrrpd) with DSL

From The Wiki Guide

Contents 1 Abstract 2 Requirements 3 Installation 3.1 Linux Kernel Configuration 3.2 VRRPd 3.3 iptables 3.4 Snort 3.5 rp-pppoe 3.6 ISC DHCP Server 3.7 Custom Scripts 4 Configuration 4.1 iptables 4.2 Snort 4.3 rp-pppoe 4.4 ISC DHCP Server 5 Final Steps

Abstract

VRRPd is an implementation of VRRPv2 as specified in rfc2338. It run in userspace for linux. In short, VRRP is a protocol which elects a master server on a LAN. If the master fails, a backup server takes over. In this setup, we will be implementing the VRRPd protocol in a home installation using an ADSL Internet connection.

Requirements

Two Machines
Linux with 2.6 Kernel (Gentoo, Fedora, Debian)
VRRPd
iptables
Snort
rp-pppoe
ISC: DHCP Server
Perl with Net::Ping Module

Installation

In this configuration, we will be using the Gentoo Linux Distribution. Add "-X -doc -gtk ssl ipv6 extensions" to the USE flags in /etc/make.conf

Linux Kernel Configuration

We need to modify the Linux kernel to allow the necessary options to be enabled.

cd /usr/src/linux; make menuconfig

Networking options  --->
  [*] TCP/IP networking
     [*] IP: advanced router
  [*] Network packet filtering (replaces ipchains)

   IP: Netfilter Configuration  --->
     [*] Connection tracking (required for masq/NAT)
        [*] FTP protocol support
        [*] IRC protocol support
     [*] IP tables support (required for filtering/masq/NAT)
        [*] IP range match support
        [*] MAC address match support
        [*] Multiple port match support
        [*] Packet filtering
           [*] REJECT target support
           [*] REDIRECT target support
        [*] Full NAT
           [*] MASQUERADE target support
        [*] Packet mangling
           [*] MARK target support
        [*] LOG target support

  QoS and/or fair queueing  --->
     [*] QoS and/or fair queueing
        [*] HTB packet scheduler
        [*] Ingress Qdisc

  [*] PPP (point-to-point protocol) support
     [*] PPP filtering
     [*] PPP support for async serial ports
     [*] PPP support for sync tty ports
     [*] PPP Deflate compression
     [*] PPP BSD-Compress compression
     [*] PPP over Ethernet

After configuring the kernel, we need to compile the changes and copy over the new kernel into /boot.

make; make modules; make modules_install; cp arch/i386/boot/bzImage /boot/vmlinuz-2.6-router

Modify Grub:

default 0
timeout 15
splashimage=(hd0,0)/boot/grub/splash.xpm.gz

title=Gentoo Linux 2.6 Router
root (hd0,0)
kernel /boot/vmlinuz-2.6-router root=/dev/root device

Reboot machine into new kernel.

VRRPd

Download the VRRPd source

wget http://off.net/~jme/vrrpd/vrrpd-0.4.tgz

Untar, Compile, and Copy into /usr/sbin

tar xvfz vrrpd-0.4.tgz
cd vrrpd-0.4
make
cp vrrpd /usr/sbin

iptables

emerge -av iptables

Snort

emerge -av snort oinkmaster

rp-pppoe

emerge -av rp-pppoe

ISC DHCP Server

emerge -av dhcp

Custom Scripts

VRRPd Init Script

Primary Router

cd /etc/init.d/
wget http://www.ntxserver.com/scripts/vrrpd_primary
chmod +x vrrpd_primary
rc-update add vrrpd_primary default

Secondary Router

cd /etc/init.d/
wget http://www.ntxserver.com/scripts/vrrpd_secondary
chmod +x vrrpd_secondary
rc-update add vrrpd_secondary default

Router Monitor (Note: This script will be executed on the secondary router box.)

cd /etc
wget http://www.ntxserver.com/scripts/vrp.pl
chmod +x vrp.pl

Backup Interface Initializer (Note: This script will be executed on the secondary router box.)

cd /etc/init.d/
wget http://www.ntxserver.com/scripts/router
chmod +x router

Configuration

iptables

Configuration of iptables to allow NAT and Port Forwarding.

First we flush our current rules
  iptables -F
  iptables -t nat -F

Setup default policies to handle unmatched traffic
  iptables -P INPUT ACCEPT
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD DROP>br>
Copy and paste these examples ...
  export LAN=eth0
  export WAN=eth1

Then we lock our services so they only work from the LAN
  iptables -I INPUT 1 -i ${LAN} -j ACCEPT
  iptables -I INPUT 1 -i lo -j ACCEPT
  iptables -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
  iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

(Optional) Allow access to our ssh server from the WAN
  iptables -A INPUT -p TCP --dport ssh -i ${WAN} -j ACCEPT

Drop TCP / UDP packets to privileged ports
  iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
  iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

Finally we add the rules for NAT
  iptables -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
  iptables -A FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
 iptables -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
  iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
Tell the kernel that ip forwarding is OK
  echo 1 > /proc/sys/net/ipv4/ip_forward
  for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

This is so when we boot we don't have to run the rules by hand
  /etc/init.d/iptables save
  rc-update add iptables default
  nano /etc/sysctl.conf
Add/Uncomment the following lines:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Port Forwarding Rules

Forward port 2 to ssh on an internal host
  iptables -t nat -A PREROUTING -p tcp --dport 2 -i ${WAN} -j DNAT --to 192.168.0.2

FTP forwarding to an internal host
  iptables -t nat -A PREROUTING -p tcp --dport 21 -i ${WAN} -j DNAT --to 192.168.0.56

HTTP forwarding to an internal host
  iptables -t nat -A PREROUTING -p tcp --dport 80 -i ${WAN} -j DNAT --to 192.168.0.56

Snort

Set Snort to sniff traffic on the ppp0 interface.

nano /etc/conf.d/snort

IFACE="ppp0"

rp-pppoe

nano /etc/ppp/pap-secrets
 
# client    server  secret
"login@isp.com" * "password"

Note: Primary router address is 192.168.0.1 and Secondary Router is 192.168.0.2

nano /etc/conf.d/net
 
config_eth0=( "192.168.0.1 broadcast 192.168.0.255 netmask 255.255.255.0" )
config_eth1=( "adsl" )
user_eth1=( "login@isp.com" )

rc-update add net.eth0 default
/etc/init.d/net.eth0 start

ln -s net.lo /etc/init.d/net.eth1
rc-update add net.eth1 default
/etc/init.d/net.eth1 start

nano w /etc/ppp/pppoe.conf

ETH=eth1
USER=login@isp.com
RETRY_ON_FAILURE=yes

ISC DHCP Server

Primary Router

#
# /etc/dhcpd.conf for primary DHCP server
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
 primary; # declare this to be the primary server
 address 192.168.0.1;
 port 520;
 peer address 192.168.0.2;
 peer port 520;
 max-response-delay 30;
 max-unacked-updates 10;
 load balance max seconds 3;
 mclt 1800;
 split 128;
}

subnet 192.168.0.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.0.255;
  option routers 192.168.0.129; #Address assigned using VRRPd
  option domain-name-servers 192.168.200.1;
  pool {
    failover peer "dhcp-failover";
    max-lease-time 1800; # 30 minutes
    range 192.168.0.100 192.168.0.254;
  }
}

Secondary Router

#
# /etc/dhcpd.conf for secondary DHCP server
#

authoritative;
ddns-update-style none;

failover peer "dhcp-failover" {
  secondary; # declare this to be the secondary server
  address 192.168.0.3;
  port 520;
  peer address 192.168.0.1;
  peer port 520;
  max-response-delay 30;
  max-unacked-updates 10;
  load balance max seconds 3;
}

subnet 192.168.200.0 netmask 255.255.255.0 {
  option subnet-mask 255.255.255.0;
  option broadcast-address 192.168.200.255;
  option routers 192.168.0.129; #Address assigned using VRRPd
  option domain-name-servers 192.168.200.1;
  pool {
    failover peer "dhcp-failover";
    max-lease-time 1800; # 30 minutes
    range 192.168.0.100 192.168.0.254;
  }
}

rc-update add dhcp default

Final Steps

Note: Primary Router must be the first router up on the network.

Primary Router

/etc/init.d/vrrpd_primary start
/etc/init.d/dhcp start

Secondary Router

/etc/init.d/vrrpd_secondary start
/etc/init.d/dhcp start