Scribd
Upload
31 views

Firewall and Load Balancing

The document provides steps to configure a Debian 10 server with iptables for logging, HAProxy for load balancing, and firewall rules on edge servers. It describes installing necessary packages, configuring iptables logging, setting up HAProxy load balancing, and creating firewall rules.

Uploaded by

My Email
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
31 views

Firewall and Load Balancing

The document provides steps to configure a Debian 10 server with iptables for logging, HAProxy for load balancing, and firewall rules on edge servers. It describes installing necessary packages, configuring iptables logging, setting up HAProxy load balancing, and creating firewall rules.

Uploaded by

My Email
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Firewall and Load Balancing

To set up a Debian 10 server as outlined in the image, you will need to follow several steps to
configure iptables for logging, set up HAProxy for load balancing, and create firewall rules on
EDGE1 and EDGE2. Here is a step-by-step guide:

Step 1: Install Necessary Packages


First, ensure that you have all necessary packages installed:

sudo apt update


sudo apt install iptables haproxy apache2-utils

Step 2: Configure iptables Logging


Set up iptables to log specific traffic as specified:

1. Log outgoing traffic from DHCP port to Internal zone:

sudo iptables -A OUTPUT -p udp -s 10.200.100.254 --sport 67 -d


172.16.99.0/25 -j LOG --log-prefix "DHCP_OUT: "

2. Log outgoing traffic from TFTP port to anywhere:

sudo iptables -A OUTPUT -p udp -s 202.22.202.25 --sport 69 -j LOG --log-


prefix "TFTP_OUT: "

3. Log incoming HTTPS traffic:

sudo iptables -A INPUT -p tcp --sport 443 -j LOG --log-prefix "HTTPS_IN:


"

4. Save config iptables:

sudo iptables-save > /etc/network/iptables.up.rules


sudo iptables-apply

5. Save the logs to a single file:


Edit /etc/rsyslog.conf to direct iptables logs to a specific file:

sudo nano /etc/rsyslog.conf

Add the following line:

:msg,contains,"DHCP_OUT: " -/var/log/firewall.log


:msg,contains,"TFTP_OUT: " -/var/log/firewall.log
:msg,contains,"HTTPS_IN: " -/var/log/firewall.log

Restart the rsyslog service:

sudo systemctl restart rsyslog

Certainly! Let's change the name of the private key from your_private.key to
ssl_https_private.key and adjust the steps accordingly.

Step 1: Install OpenSSL


Ensure OpenSSL is installed on your Debian server:

sudo apt update


sudo apt install openssl

Step 2: Create a Private Key and Certificate Signing Request


(CSR)
Generate a private key and a CSR:

1. Create a private key:

openssl genpkey -algorithm RSA -out


/etc/ssl/private/ssl_https_private.key -pkeyopt rsa_keygen_bits:2048

2. Create a CSR:

openssl req -new -key /etc/ssl/private/ssl_https_private.key -out


/etc/ssl/private/ssl_https_request.csr
During the CSR creation, you will be prompted to enter information such as Country, State,
Organization Name, Common Name (usually your domain name), etc.

Step 3: Create the Self-Signed Certificate


Generate the self-signed certificate using the private key and CSR:

openssl x509 -req -days 365 -in /etc/ssl/private/ssl_https_request.csr -


signkey /etc/ssl/private/ssl_https_private.key -out
/etc/ssl/private/ssl_https_certificate.crt

This command will create a certificate valid for 365 days. You can adjust the number of days as
needed.

Step 4: Combine the Key and Certificate (Optional)


For some applications, you may need to combine the private key and certificate into a single
file:

cat /etc/ssl/private/ssl_https_private.key
/etc/ssl/private/ssl_https_certificate.crt >
/etc/ssl/private/ssl_https_combined.pem

Step 3: Configure HAProxy for Load Balancing


1. Edit HAProxy configuration:

sudo nano /etc/haproxy/haproxy.cfg

2. Configure the frontend and backend sections:

Add the following configuration:

frontend https_front
bind *:443 ssl crt /etc/ssl/private/ssl_https_combined.pem
default_backend https_back

backend https_back
balance roundrobin
server mon1 MON1_IP:443 check ssl verify none
server mon2 MON2_IP:443 check ssl verify none
Replace MON1_IP and MON2_IP with the actual IP addresses of your MON1 and MON2
servers.
3. Get the required certificate:

Ensure you have the SSL certificate in place at


/etc/ssl/private/ssl_https_combined.pem .
4. Restart HAProxy to apply changes:

sudo systemctl restart haproxy

Step 4: Ensure Icinga Monitoring Web UI is Accessible


Make sure the Icinga web interface is accessible through the configured HAProxy. Confirm this
by accessing the interface via the load balanced IP.

1. Log in to EDGE1 and EDGE2:

sudo apt install icinga2 -y

Step 5: Create Firewall Rules on EDGE1 and EDGE2


Assuming EDGE1 and EDGE2 are separate servers, configure firewall rules to block specific
traffic:

1. Log in to EDGE1 and EDGE2:

ssh user@edge1_ip
ssh user@edge2_ip

2. Block traffic to SERVICE1 and SERVICE2 via HTTP and HTTPS ports:

sudo iptables -A FORWARD -p tcp -d SERVICE1_IP --dport 80 -j REJECT


sudo iptables -A FORWARD -p tcp -d SERVICE1_IP --dport 443 -j REJECT
sudo iptables -A FORWARD -p tcp -d SERVICE2_IP --dport 80 -j REJECT
sudo iptables -A FORWARD -p tcp -d SERVICE2_IP --dport 443 -j REJECT

Replace SERVICE1_IP and SERVICE2_IP with the actual IP addresses of your SERVICE1
and SERVICE2 servers.
3. Save the iptables rules:
sudo iptables-save > /etc/iptables/rules.v4

Conclusion
This guide provides a basic setup for configuring a Debian 10 server with iptables logging,
HAProxy load balancing, and firewall rules. Adjust IP addresses, file paths, and specific
configurations as necessary for your environment.p

You might also like