🎉 First working proof of concept
Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
commit
4389fb0e6f
16
firewall/nat.conf
Executable file
16
firewall/nat.conf
Executable file
@ -0,0 +1,16 @@
|
|||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table ip nat {
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority 0; policy accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority 0; policy accept;
|
||||||
|
|
||||||
|
ip saddr 10.2.1.0/30 masquerade;
|
||||||
|
ip saddr 172.17.0.0/16 masquerade;
|
||||||
|
}
|
||||||
|
}
|
17
firewall/restrict-http.conf
Executable file
17
firewall/restrict-http.conf
Executable file
@ -0,0 +1,17 @@
|
|||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
}
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority 0; policy accept
|
||||||
|
tcp dport { 80 } reject;
|
||||||
|
accept
|
||||||
|
}
|
||||||
|
chain output {
|
||||||
|
type filter hook output priority 0;
|
||||||
|
}
|
||||||
|
}
|
114
start.sh
Executable file
114
start.sh
Executable file
@ -0,0 +1,114 @@
|
|||||||
|
#!/usr/bin/env bash
|
||||||
|
|
||||||
|
if [[ $EUID -ne 0 ]]; then
|
||||||
|
echo "This script must be run as root."
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# We are here
|
||||||
|
dir=$(dirname $(realpath $0))
|
||||||
|
|
||||||
|
# Wrap into a tmux shell if it not already the case
|
||||||
|
tmux rename-session babel 2> /dev/null
|
||||||
|
res=$?
|
||||||
|
if ! [[ "$res" == 0 ]]; then
|
||||||
|
exec tmux new-session $0
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
tmux rename-window host
|
||||||
|
|
||||||
|
function reset() {
|
||||||
|
echo "Reset previous configuration..."
|
||||||
|
pkill -e vde_plug
|
||||||
|
pkill -e babeld
|
||||||
|
rm -rv /tmp/switch* /tmp/ns*
|
||||||
|
ip route delete 172.17.0.0/16
|
||||||
|
ip -6 route delete 2a0c:700:3012:3::1:0/112
|
||||||
|
ip -6 route delete 2a0c:700:3012:3::2:0/112
|
||||||
|
nft flush ruleset
|
||||||
|
}
|
||||||
|
|
||||||
|
reset
|
||||||
|
|
||||||
|
echo "Setup switches..."
|
||||||
|
vde_plug --daemon switch:///tmp/ext null://
|
||||||
|
vde_plug --daemon switch:///tmp/switch1 null://
|
||||||
|
vde_plug --daemon switch:///tmp/switch2 null://
|
||||||
|
|
||||||
|
# Connect to the exterior
|
||||||
|
sudo vde_plug --daemon vde:///tmp/ext tap://vde0
|
||||||
|
sudo ip link set dev vde0 up
|
||||||
|
sudo ip address add 10.2.1.1/30 dev vde0
|
||||||
|
sudo ip address add 2a0c:700:3012:3::ff:0/127 dev vde0
|
||||||
|
|
||||||
|
# Setup NAT
|
||||||
|
nft -f $dir/firewall/nat.conf
|
||||||
|
|
||||||
|
for i in 1 2 3 4; do
|
||||||
|
echo "Creating new namespace..."
|
||||||
|
mkdir -p /tmp/ns$i/log
|
||||||
|
tmux new-window -n ns$i "unshare --user --map-root-user --net --mount"
|
||||||
|
tmux select-window -t host
|
||||||
|
|
||||||
|
sleep 1
|
||||||
|
|
||||||
|
echo "Configure ns$i..."
|
||||||
|
|
||||||
|
tmux send-keys -t ns$i "echo \$\$ > /tmp/ns$i/pid" Enter
|
||||||
|
if [[ $i -eq 1 ]]; then
|
||||||
|
tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/ext tap://vde0" Enter
|
||||||
|
sleep 0.3
|
||||||
|
tmux send-keys -t ns$i "ip link set vde0 up" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 10.2.1.2/30 dev vde0" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::ff:1/127 dev vde0" Enter
|
||||||
|
tmux send-keys -t ns$i "ip route add 0.0.0.0/1 via 10.2.1.1 dev vde0 proto kernel" Enter
|
||||||
|
tmux send-keys -t ns$i "ip route add 128.0.0.0/1 via 10.2.1.1 dev vde0 proto kernel" Enter
|
||||||
|
tmux send-keys -t ns$i "ip -6 route add 2000::/4 via 2a0c:700:3012:3::ff:0 dev vde0 proto kernel" Enter
|
||||||
|
tmux send-keys -t ns$i "echo \"interface vde0 type wired\" >> /tmp/ns$i/babeld.conf" Enter
|
||||||
|
tmux send-keys -t ns$i "echo \"redistribute metric 256\" >> /tmp/ns$i/babeld.conf" Enter
|
||||||
|
fi
|
||||||
|
|
||||||
|
tmux send-keys -t ns$i "mount --bind /tmp/ns$i/log /var/log" Enter
|
||||||
|
done
|
||||||
|
|
||||||
|
echo "Enable links..."
|
||||||
|
|
||||||
|
# Switch 1: NS 1, 2, 3
|
||||||
|
for i in 1 2 3; do
|
||||||
|
tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch1 tap://vde1" Enter
|
||||||
|
sleep 0.3
|
||||||
|
tmux send-keys -t ns$i "ip link set vde1 up" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 172.17.1.$i/32 dev vde1" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::1:$i/128 dev vde1" Enter
|
||||||
|
tmux send-keys -t ns$i "echo \"interface vde1 type wired\" >> /tmp/ns$i/babeld.conf" Enter
|
||||||
|
done
|
||||||
|
|
||||||
|
# Switch 2: NS 2, 3, 4
|
||||||
|
for i in 2 3 4; do
|
||||||
|
tmux send-keys -t ns$i "vde_plug --daemon vde:///tmp/switch2 tap://vde2" Enter
|
||||||
|
sleep 0.3
|
||||||
|
tmux send-keys -t ns$i "ip link set vde2 up" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 172.17.2.$i/32 dev vde2" Enter
|
||||||
|
tmux send-keys -t ns$i "ip address add 2a0c:700:3012:3::2:$i/128 dev vde2" Enter
|
||||||
|
tmux send-keys -t ns$i "echo \"interface vde2 type wired\" >> /tmp/ns$i/babeld.conf" Enter
|
||||||
|
done
|
||||||
|
|
||||||
|
ip route add 172.17.0.0/16 via 10.2.1.2
|
||||||
|
ip -6 route add 2a0c:700:3012:3::1:0/112 via 2a0c:700:3012:3::ff:1
|
||||||
|
ip -6 route add 2a0c:700:3012:3::2:0/112 via 2a0c:700:3012:3::ff:1
|
||||||
|
|
||||||
|
for i in 1 2 3 4; do
|
||||||
|
tmux send-keys -t ns$i "touch /etc/babeld.conf && mount --bind /tmp/ns$i/babeld.conf /etc/babeld.conf" Enter
|
||||||
|
tmux send-keys -t ns$i "babeld -D -I /tmp/ns$i/babeld.pid -G /tmp/ns$i/socket -S /tmp/ns1/state" Enter
|
||||||
|
done
|
||||||
|
|
||||||
|
for i in 2 3; do
|
||||||
|
tmux send-keys -t ns$i "nft -f $dir/firewall/restrict-http.conf" Enter
|
||||||
|
done
|
||||||
|
|
||||||
|
bash
|
||||||
|
|
||||||
|
reset
|
||||||
|
|
||||||
|
tmux kill-session
|
Loading…
Reference in New Issue
Block a user