From 4389fb0e6f01416317b88db3f25462e8f8f0fa3f Mon Sep 17 00:00:00 2001 From: Yohann D'ANELLO Date: Mon, 31 May 2021 11:14:16 +0000 Subject: [PATCH] :tada: First working proof of concept Signed-off-by: Yohann D'ANELLO --- firewall/nat.conf | 16 +++++ firewall/restrict-http.conf | 17 ++++++ start.sh | 114 ++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100755 firewall/nat.conf create mode 100755 firewall/restrict-http.conf create mode 100755 start.sh diff --git a/firewall/nat.conf b/firewall/nat.conf new file mode 100755 index 0000000..ef16448 --- /dev/null +++ b/firewall/nat.conf @@ -0,0 +1,16 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + } + + chain postrouting { + type nat hook postrouting priority 0; policy accept; + + ip saddr 10.2.1.0/30 masquerade; + ip saddr 172.17.0.0/16 masquerade; + } +} diff --git a/firewall/restrict-http.conf b/firewall/restrict-http.conf new file mode 100755 index 0000000..7b90e13 --- /dev/null +++ b/firewall/restrict-http.conf @@ -0,0 +1,17 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + } + chain forward { + type filter hook forward priority 0; policy accept + tcp dport { 80 } reject; + accept + } + chain output { + type filter hook output priority 0; + } +} diff --git a/start.sh b/start.sh new file mode 100755 index 0000000..90f00ad --- /dev/null +++ b/start.sh @@ -0,0 +1,114 @@ +#!/usr/bin/env bash + +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root." + exit 1 +fi + +# We are here +dir=$(dirname $(realpath $0)) + +# Wrap into a tmux shell if it not already the case +tmux rename-session babel 2> /dev/null +res=$? +if ! [[ "$res" == 0 ]]; then + exec tmux new-session $0 + exit 0 +fi + +tmux rename-window host + +function reset() { + echo "Reset previous configuration..." + pkill -e vde_plug + pkill -e babeld + rm -rv /tmp/switch* /tmp/ns* + ip route delete 172.17.0.0/16 + ip -6 route delete 2a0c:700:3012:3::1:0/112 + ip -6 route delete 2a0c:700:3012:3::2:0/112 + nft flush ruleset +} + +reset + +echo "Setup switches..." +vde_plug --daemon switch:///tmp/ext null:// +vde_plug --daemon switch:///tmp/switch1 null:// +vde_plug --daemon switch:///tmp/switch2 null:// + +# Connect to the exterior +sudo vde_plug --daemon vde:///tmp/ext tap://vde0 +sudo ip link set dev vde0 up +sudo ip address add 10.2.1.1/30 dev vde0 +sudo ip address add 2a0c:700:3012:3::ff:0/127 dev vde0 + +# Setup NAT +nft -f $dir/firewall/nat.conf + +for i in 1 2 3 4; do + echo "Creating new namespace..." + mkdir -p /tmp/ns$i/log + tmux new-window -n ns$i "unshare --user --map-root-user --net --mount" + tmux select-window -t host + + sleep 1 + + echo "Configure ns$i..." + + tmux send-keys -t ns$i "echo \$\$ > /tmp/ns$i/pid" Enter + if [[ $i -eq 1 ]]; then + tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/ext tap://vde0" Enter + sleep 0.3 + tmux send-keys -t ns$i "ip link set vde0 up" Enter + tmux send-keys -t ns$i "ip address add 10.2.1.2/30 dev vde0" Enter + tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::ff:1/127 dev vde0" Enter + tmux send-keys -t ns$i "ip route add 0.0.0.0/1 via 10.2.1.1 dev vde0 proto kernel" Enter + tmux send-keys -t ns$i "ip route add 128.0.0.0/1 via 10.2.1.1 dev vde0 proto kernel" Enter + tmux send-keys -t ns$i "ip -6 route add 2000::/4 via 2a0c:700:3012:3::ff:0 dev vde0 proto kernel" Enter + tmux send-keys -t ns$i "echo \"interface vde0 type wired\" >> /tmp/ns$i/babeld.conf" Enter + tmux send-keys -t ns$i "echo \"redistribute metric 256\" >> /tmp/ns$i/babeld.conf" Enter + fi + + tmux send-keys -t ns$i "mount --bind /tmp/ns$i/log /var/log" Enter +done + +echo "Enable links..." + +# Switch 1: NS 1, 2, 3 +for i in 1 2 3; do + tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch1 tap://vde1" Enter + sleep 0.3 + tmux send-keys -t ns$i "ip link set vde1 up" Enter + tmux send-keys -t ns$i "ip address add 172.17.1.$i/32 dev vde1" Enter + tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::1:$i/128 dev vde1" Enter + tmux send-keys -t ns$i "echo \"interface vde1 type wired\" >> /tmp/ns$i/babeld.conf" Enter +done + +# Switch 2: NS 2, 3, 4 +for i in 2 3 4; do + tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch2 tap://vde2" Enter + sleep 0.3 + tmux send-keys -t ns$i "ip link set vde2 up" Enter + tmux send-keys -t ns$i "ip address add 172.17.2.$i/32 dev vde2" Enter + tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::2:$i/128 dev vde2" Enter + tmux send-keys -t ns$i "echo \"interface vde2 type wired\" >> /tmp/ns$i/babeld.conf" Enter +done + +ip route add 172.17.0.0/16 via 10.2.1.2 +ip -6 route add 2a0c:700:3012:3::1:0/112 via 2a0c:700:3012:3::ff:1 +ip -6 route add 2a0c:700:3012:3::2:0/112 via 2a0c:700:3012:3::ff:1 + +for i in 1 2 3 4; do + tmux send-keys -t ns$i "touch /etc/babeld.conf && mount --bind /tmp/ns$i/babeld.conf /etc/babeld.conf" Enter + tmux send-keys -t ns$i "babeld -D -I /tmp/ns$i/babeld.pid -G /tmp/ns$i/socket -S /tmp/ns1/state" Enter +done + +for i in 2 3; do + tmux send-keys -t ns$i "nft -f $dir/firewall/restrict-http.conf" Enter +done + +bash + +reset + +tmux kill-session