Configuring a Vyatta Firewall in IBM SoftLayer

Summary

This  blog posts covers the steps to allow access to a Web or Application server that is being protected by a Vyatta gateway in IBM SoftLayer. Vyatta can be used as a firewall as well as a network gateway. Vyatta is a low cost firewall option but the learning curve to using it is steeper than the FortiGate firewall options available on SoftLayer.

This post will cover some steps to protect a Web server or application server in SoftLayer. 

Process

Order a Gateway appliance in the data center where you have your application servers.
Associate the VLANs with the Gateway as shown below in the picture. The application server is configured to sit on the public VLAN and the private VLAN. The database tier will sit only on a private VLAN.

SoftLayer Gateway Page

In the picture above, there are two associated VLANs. The VLANs can bypass Vyatta or be associated with the Vyatta gateway. Once the VLAN is associated with the Vyatta gateway, Vyatta firewall rules must be applied to access the applications running on that VLAN.

To configure Vyatta you need the gateway address and the subnet address of the associated VLAN.
Determine the subnet and gateway address for the VLAN.

• From the gateway page, click on the link to the VLAN page.
• From the VLAN page, click on the Subnet page as shown below. 

SoftLayer VLAN subnet page

Login to the Vyatta system.
Enter configure to change settings.
-- Associate the gateway with an adapter. eth0 is the private network. eth1 is the public network

set interfaces ethernet eth1 vif <public vlan number> address <gateway address>
set interfaces ethernet eth0 vif <private vlan number> address <other gateway address>


--example

set interfaces ethernet eth0 vif 1607 address 10.77.153.65/26
set interfaces ethernet eth1 vif 1253 address 184.173.49.1/27

You may also see a bonded adapter configuration when invoking show interfaces before entering configuration mode. If so you the following commands instead.

set interfaces bonding bond1 vif 1253 address 184.173.49.1/27
set firewall name home_in rule 10 action accept
set firewall name home_in rule 10 description "allow access to web or application server port"

-- The 184.173.49.0/27 is the subnet address

set firewall name home_in rule 10 destination address 184.173.49.0/27
set firewall name home_in rule 10 destination port 80,8080
set firewall name home_in rule 10 protocol tcp
set interfaces ethernet eth1 firewall in name home_in

set firewall name home_out rule 10 action accept
set firewall name home_out rule 10 description "allow traffic from Web subnet back out"
set firewall name home_out rule 10 source address 184.173.49.0/27
set firewall name home_out rule 10 protocol tcp
set interfaces ethernet eth1 firewall out name home_out
 
 -- in my case my database is somewhere else so allow the database server address to connect back to the web subnet

set firewall name home_in rule 11 action accept
set firewall name home_in rule 11 description "database back to web"
set firewall name home_in rule 11 source address 52.22.138.15
set firewall name home_in rule 11 destination address 184.173.49.0/27
set firewall name home_in rule 11 protocol tcp
commit
The Web or application server should now be available. 

After entering all these rules enter commit to put them into effect but do not save the configuration until you are satisfied that it is working. 
If you do not save your changes, it is easy to reboot and try again.

To view the new routes, exit from configuration mode and enter show ip route.

$ show ip route
S    *> 0.0.0.0/0 [1/0] via 173.193.94.249, eth1
S    *> 10.0.0.0/8 [1/0] via 10.77.153.1, eth0
C    *  10.77.153.0/26 is directly connected, eth0v1
C    *> 10.77.153.0/26 is directly connected, eth0
C    *> 10.77.153.64/26 is directly connected, eth0.1607
C    *> 127.0.0.0/8 is directly connected, lo
C    *  173.193.94.248/29 is directly connected, eth1v1
C    *> 173.193.94.248/29 is directly connected, eth1
C    *> 184.173.49.0/27 is directly connected, eth1.1253

There are two new routes to the associated VLANs. 

Using a Load Balancer for an Apache Tomcat Application

Summary

When load balancing an application, you have to handle the session data that is maintained for each user. One way to handle session data is to use what is called a sticky session. For a sticky session, the load balancer always routes you back to the box that you initially connected to. The screen shot below from a SoftLayer local load balancer shows the sticky session option as w/ Inserted Cookie. This is easier to implement but does not allow for failover when the system that you are connected to fails. Another option is to write session data out to a database that is accessible by all the application servers.

This tutorial will step you through the process of configuring Apache Tomcat to use a Redis database to maintain session data.

SoftLayer Load Balancer options

 

 

 

 

 

 

 

 

 

 

 

Install Java

• cd /tmp
• wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gz"
• cd /opt
• tar -xf /tmp/jdk-8u45-linux-x64.tar.gz
• echo "export JAVA_HOME=\"/opt/jdk1.8.0_45\"" >> ~/.bashrc

Install Apache Tomcat

• cd /tmp
• wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/apache-tomcat-7.0.62.zip
• cd /opt
• unzip /tmp/apache-tomcat-7.0.62.zip
• echo "export CATALINA_HOME=\"/opt/apache-tomcat-7.0.62\"" >> ~/.bashrc
• chmod -R 755 /opt/apache-tomcat-7.0.62/bin/*.sh

Install JULI log4j jar

• cd /opt/apache-tomcat-7.0.62/lib
• wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/extras/tomcat-juli.jar

Install Gradle

Gradle is needed to build Redis Tomcat session manager

• cd /tmp
• wget https://services.gradle.org/distributions/gradle-2.4-bin.zip
• cd /opt
• unzip /tmp/gradle-2.4-bin.zip
• Add /opt/gradle-2.4 to your PATH.
•  export PATH=/opt/gradle-2.4/bin:$PATH

Install Redis Tomcat session manager

• cd /tmp
• yum -y install git
• git clone https://github.com/jcoleman/tomcat-redis-session-manager.git
• cd tomcat-redis-session-manager
• gradle tasks
  Note:if you get an error on line 57 of build.gradle, remove the uploadArchives section and everything after it.
• gradle jar
• Copy jar output to Apache Tomcat
  example: cp ./build/libs/tomcat-redis-session-manager-2.0.0.jar   /opt/apache-tomcat-7.0.62/lib/

Install Redis Java client

The Redis Java client will be downloaded to build Redis Tomcat session manager

• find / -name "jedis*.jar"
• Copy the jar found to Apache Tomcat lib directory
  example:
•  cp /root/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/2.5.2/83d/jedis-2.5.2.jar /opt/apache-tomcat-7.0.62/lib/

Install Apache Commons Pool

There are some dependency Jars needed so grap the source and build with Maven

• cd /tmp
• wget http://mirror.tcpdiag.net/apache//commons/pool/source/commons-pool2-2.3-src.zip
• cd /tmp/commons-pool2-2.3-src
• yum -y install maven
• source ~/.bashrc
• mvn deploy
• cp /tmp/commons-pool2-2.3-src/target/commons-pool2-2.3.jar /opt/apache-tomcat-7.0.62/lib/

Find the dependency Jars and copy them into the Tomcat directory also

• find ~/.m2 -name cglib*.jar
• use the outputed path to copy cglib to Tomcat
  e.g. cp /root/.m2/repository/cglib/cglib/3.1/cglib-3.1.jar /opt/apache-tomcat-7.0.62/lib/
• find ~/.m2 -name asm*.jar
• use the outputed path to copy asm to Tomcat
  e.g. cp /root/.m2/repository/org/ow2/asm/asm/4.2/asm-4.2.jar /opt/apache-tomcat-7.0.62/lib/
• find ~/.m2 -name asm-util*.jar
• use the outputed path to copy asm-utils to Tomcat
  e.g. cp /root/.m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis

This would normally be installed on a separate server but for this tutorial it can be placed on the same server.

See this page to Install Redis

Update Tomcat

Add the following to Tomcat context.xml:

<Valve className="com.orangefunction.tomcat.redissessions.RedisSessionHandlerValve" />
<Manager className="com.orangefunction.tomcat.redissessions.RedisSessionManager"
host="localhost"
port="6379"
database="0"
maxInactiveInterval="60"/>

Restart Tomcat

• $CATALINA_HOME/bin/catalina.sh stop
• $CATALINA_HOME/bin/catalina.sh start
  

Check the logs to make sure it is working.

Install Java

• cd /tmp
• wget --no-cookies --no-check-certificate --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/8u45-b14/jdk-8u45-linux-x64.tar.gz"
• cd /opt
• tar -xf /tmp/jdk-8u45-linux-x64.tar.gz
• echo "export JAVA_HOME=\"/opt/jdk1.8.0_45\"" >> ~/.bashrc

Install Apache Tomcat

• cd /tmp
• wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/apache-tomcat-7.0.62.zip
• cd /opt
• unzip /tmp/apache-tomcat-7.0.62.zip
• echo "export CATALINA_HOME=\"/opt/apache-tomcat-7.0.62\"" >> ~/.bashrc
• chmod -R 755 /opt/apache-tomcat-7.0.62/bin/*.sh

Install JULI log4j jar

• cd /opt/apache-tomcat-7.0.62/lib
• wget http://apache.claz.org/tomcat/tomcat-7/v7.0.62/bin/extras/tomcat-juli.jar

Install Gradle

Gradle is needed to build Redis Tomcat session manager

• cd /tmp
• wget https://services.gradle.org/distributions/gradle-2.4-bin.zip
• cd /opt
• unzip /tmp/gradle-2.4-bin.zip
• Add /opt/gradle-2.4 to your Path
  export PATH=/opt/gradle-2.4/bin:$PATH

Install Redis Tomcat session manager

• cd /tmp
• yum -y install git
• git clone https://github.com/jcoleman/tomcat-redis-session-manager.git
• cd /opt/apache-tomcat-7.0.62/lib
• cd tomcat-redis-session-manager
• gradle tasks
  Note:if you get an error on line 57 of build.gradle, remove the uploadArchives section and everything after it.
• gradle jar
• Copy jar output to Apache Tomcat
  example: cp ./build/libs/tomcat-redis-session-manager-2.0.0.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis Java client

The Redis Java client will be downloaded to build Redis Tomcat session manager

• find / -name "jedis*.jar"
• Copy the jar found to Apache Tomcat lib directory
  e.g. cp /root/.gradle/caches/modules-2/files-2.1/redis.clients/jedis/2.5.2/83d/jedis-2.5.2.jar /opt/apache-tomcat-7.0.62/lib/

Install Apache Commons Pool

There are some dependency Jars needed so grap the source and build with Maven

• cd /tmp
• wget http://mirror.tcpdiag.net/apache//commons/pool/source/commons-pool2-2.3-src.zip
• cd /tmp/commons-pool2-2.3-src
• yum -y install maven
• source ~/.bashrc
• mvn deploy
• cp /tmp/commons-pool2-2.3-src/target/commons-pool2-2.3.jar /opt/apache-tomcat-7.0.62/lib/

Find the depency Jars and copy them into the Tomcat directory also

• find ~/.m2 -name cglib*.jar
• use the outputed path to copy cglib to Tomcat
  e.g cp /root/.m2/repository/cglib/cglib/3.1/cglib-3.1.jar /opt/apache-tomcat-7.0.62/lib/
• find ~/.m2 -name asm*.jar
• use the outputed path to copy cglib to Tomcat
  e.g cp /root/.m2/repository/org/ow2/asm/asm/4.2/asm-4.2.jar /opt/apache-tomcat-7.0.62/lib/
• find ~/.m2 -name asm-util*.jar
• use the outputed path to copy cglib to Tomcat
  e.g cp /root/.m2/repository/org/ow2/asm/asm-util/5.0.3/asm-util-5.0.3.jar /opt/apache-tomcat-7.0.62/lib/

Install Redis

This would normally be installed on a seprate server but for this tutorial it can be placed on the same server.
See this page to Install Redis

Update Tomcat

Add the following to Tomcat context.xml:

<Valve className="com.orangefunction.tomcat.redissessions.RedisSessionHandlerValve" />
<Manager className="com.orangefunction.tomcat.redissessions.RedisSessionManager"
host="localhost"
port="6379"
database="0"
maxInactiveInterval="60"/>

Restart Tomcat

• $CATALINA_HOME/bin/catalina.sh stop
• $CATALINA_HOME/bin/catalina.sh start
  

Check the logs to make sure it is working.