Don't need gateways

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
This commit is contained in:
Yohann D'ANELLO 2021-06-14 17:46:11 +02:00
parent ef9773365b
commit 8f8bd941af
Signed by: ynerant
GPG Key ID: 3A75C55819C8CF85
3 changed files with 24 additions and 39 deletions

View File

@ -1,16 +0,0 @@
#!/usr/sbin/nft -f
flush ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.2.1.0/30 masquerade;
ip saddr 172.17.0.0/16 masquerade;
}
}

View File

@ -8,6 +8,8 @@ table inet filter {
} }
chain forward { chain forward {
type filter hook forward priority 0; policy accept type filter hook forward priority 0; policy accept
ip6 saddr fd00:42::/32 dport { 80 } reject;
ip6 daddr fd00:42::/32 dport { 80 } reject;
accept accept
} }
chain output { chain output {

View File

@ -21,12 +21,13 @@ tmux rename-window host
function reset() { function reset() {
echo "Reset previous configuration..." echo "Reset previous configuration..."
pkill -e babeld pkill -e babeld
pkill -KILL -e re6stnet pkill -e openvpn
pkill -e re6stnet
pkill -e vde_plug pkill -e vde_plug
rm -r run/* rm -r run/*
rm -rv $dir/switches rm -rv $dir/switches
ip route delete 172.17.0.0/16 ip route delete 172.17.1.0/24
nft flush ruleset ip route delete 172.17.2.0/24
} }
reset reset
@ -35,7 +36,7 @@ echo "Generate registry certificates..."
mkdir -p $dir/certs/registry mkdir -p $dir/certs/registry
[[ -f $dir/certs/registry/dh4096.pem ]] || openssl dhparam -out $dir/certs/registry/dh4096.pem 4096 [[ -f $dir/certs/registry/dh4096.pem ]] || openssl dhparam -out $dir/certs/registry/dh4096.pem 4096
[[ -f $dir/certs/registry/ca.key ]] || openssl genpkey -out $dir/certs/registry/ca.key -algorithm rsa -pkeyopt rsa_keygen_bits:4096 [[ -f $dir/certs/registry/ca.key ]] || openssl genpkey -out $dir/certs/registry/ca.key -algorithm rsa -pkeyopt rsa_keygen_bits:4096
[[ -f $dir/certs/registry/ca.crt ]] || openssl req -nodes -new -x509 -key $dir/certs/registry/ca.key -set_serial 0x12a0c07003012000300040001 -days 36500 -out $dir/certs/registry/ca.crt [[ -f $dir/certs/registry/ca.crt ]] || openssl req -nodes -new -x509 -key $dir/certs/registry/ca.key -set_serial 0x1fd000042 -days 36500 -out $dir/certs/registry/ca.crt
echo "Setup switches..." echo "Setup switches..."
mkdir switches mkdir switches
@ -47,30 +48,27 @@ vde_plug --daemon switch://$dir/switches/switch2 null://
sudo vde_plug --daemon vde://$dir/switches/ext tap://vde0 sudo vde_plug --daemon vde://$dir/switches/ext tap://vde0
sudo ip link set dev vde0 address 02:00:00:00:00:00 sudo ip link set dev vde0 address 02:00:00:00:00:00
sudo ip link set dev vde0 up sudo ip link set dev vde0 up
sudo ip address add 10.2.1.1/30 dev vde0 sudo ip address add 172.17.0.1/30 dev vde0
sleep 1 sleep 1
# Setup NAT
nft -f $dir/firewall/nat.conf
echo "Configure re6st registry..." echo "Configure re6st registry..."
mkdir -p $dir/states/host $dir/certs/host $dir/log/host $dir/run mkdir -p $dir/states/host $dir/certs/host $dir/log/host $dir/run
tmux split-window -t host -h re6st-registry --dh $dir/certs/registry/dh4096.pem --ca $dir/certs/registry/ca.crt --key $dir/certs/registry/ca.key --db $dir/states/host/registry.db --logfile $dir/log/host/registry.log --run $dir/run/registry.pid -4 10.2.1.1 -6 ::1 --prefix-length 16 tmux split-window -t host -h re6st-registry --dh $dir/certs/registry/dh4096.pem --ca $dir/certs/registry/ca.crt --key $dir/certs/registry/ca.key --db $dir/states/host/registry.db --logfile $dir/log/host/registry.log --run $dir/run/registry.pid -4 172.17.0.1 -6 ::1 --prefix-length 64
sleep 1 sleep 1
if ! [[ -f $dir/certs/host/cert.crt ]]; then if ! [[ -f $dir/certs/host/cert.crt ]]; then
echo "Generating certificates for host..." echo "Generating certificates for host..."
sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)" sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 32, 1)"
sleep 1 sleep 1
re6st-conf --registry http://10.2.1.1 --dir $dir/certs/host --email ynerant@ynerant.fr --token token re6st-conf --registry http://172.17.0.1 --dir $dir/certs/host --email ynerant@ynerant.fr --token token
sleep 15 sleep 15
fi fi
tmux split-window -t host bash tmux split-window -t host bash
tmux send-keys -t host "re6stnet --registry http://10.2.1.1 --ip 10.2.1.1 --ca $dir/certs/host/ca.crt --cert $dir/certs/host/cert.crt --key $dir/certs/host/cert.key --state $dir/states/host --log $dir/log/host --run $dir/run/re6stnet-host.pid --gateway" Enter tmux send-keys -t host "re6stnet --registry http://172.17.0.1 --ip 172.17.0.1 --ca $dir/certs/host/ca.crt --cert $dir/certs/host/cert.crt --key $dir/certs/host/cert.key --state $dir/states/host --log $dir/log/host --run $dir/run/re6stnet-host.pid" Enter
tmux select-pane -t host -L tmux select-pane -t host -L
for i in 1 2 3 4; do for i in 1 2 3 4; do
echo "Creating new namespace..." echo "Creating new namespace..."
tmux new-window -n ns$i "unshare --net --mount" tmux new-window -n ns$i "unshare --net"
tmux select-window -t host tmux select-window -t host
sleep 1 sleep 1
@ -83,8 +81,7 @@ for i in 1 2 3 4; do
sleep 0.3 sleep 0.3
tmux send-keys -t ns$i "ip link set dev vde0 address 02:00:00:00:00:01" Enter tmux send-keys -t ns$i "ip link set dev vde0 address 02:00:00:00:00:01" Enter
tmux send-keys -t ns$i "ip link set dev vde0 up" Enter tmux send-keys -t ns$i "ip link set dev vde0 up" Enter
tmux send-keys -t ns$i "ip address add 10.2.1.2/30 dev vde0" Enter tmux send-keys -t ns$i "ip address add 172.17.0.2/30 dev vde0" Enter
tmux send-keys -t ns$i "ip route add default via 10.2.1.1 dev vde0 proto kernel" Enter
fi fi
done done
@ -97,7 +94,7 @@ for i in 1 2 3; do
tmux send-keys -t ns$i "ip link set dev vde1 address 02:00:00:00:01:0$i" Enter tmux send-keys -t ns$i "ip link set dev vde1 address 02:00:00:00:01:0$i" Enter
tmux send-keys -t ns$i "ip link set dev vde1 up" Enter tmux send-keys -t ns$i "ip link set dev vde1 up" Enter
tmux send-keys -t ns$i "ip address add 172.17.1.$i/24 dev vde1" Enter tmux send-keys -t ns$i "ip address add 172.17.1.$i/24 dev vde1" Enter
tmux send-keys -t ns$i "ip route add 10.2.1.0/24 via 172.17.1.1 dev vde1 proto kernel" Enter tmux send-keys -t ns$i "ip route add 172.17.0.0/30 via 172.17.1.1 dev vde1 proto kernel" Enter
done done
# Switch 2: NS 2, 3, 4 # Switch 2: NS 2, 3, 4
@ -109,9 +106,11 @@ for i in 2 3 4; do
tmux send-keys -t ns$i "ip address add 172.17.2.$i/24 dev vde2" Enter tmux send-keys -t ns$i "ip address add 172.17.2.$i/24 dev vde2" Enter
done done
tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.2 dev vde2 proto kernel" Enter # Add IPv4 routes to contact gateway
tmux send-keys -t ns4 "ip route add 10.2.1.0/24 via 172.17.2.3 dev vde2 proto kernel" Enter tmux send-keys -t ns4 "ip route add 172.17.0.0/30 via 172.17.2.2 dev vde2 proto kernel" Enter
ip route add 172.17.0.0/16 via 10.2.1.2 tmux send-keys -t ns1 "ip route add 172.17.2.0/24 via 172.17.1.2 dev vde1 proto kernel" Enter
ip route add 172.17.1.0/24 via 172.17.0.2
ip route add 172.17.2.0/24 via 172.17.0.2
# Restrict HTTP transport on node 2 # Restrict HTTP transport on node 2
tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter tmux send-keys -t ns2 "nft -f $dir/firewall/restrict-http.conf" Enter
@ -120,15 +119,15 @@ for i in 1 2 3 4; do
mkdir -p $dir/certs/node$i $dir/states/node$i mkdir -p $dir/certs/node$i $dir/states/node$i
if ! [[ -f $dir/certs/node$i/cert.crt ]]; then if ! [[ -f $dir/certs/node$i/cert.crt ]]; then
echo "Generating certificates for node $i..." echo "Generating certificates for node $i..."
sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 16, 1)" sqlite3 $dir/states/host/registry.db "INSERT INTO token VALUES(\"token\", \"ynerant@ynerant.fr\", 32, 1)"
sleep 1 sleep 1
re6st-conf --registry http://10.2.1.1 --dir $dir/certs/node$i --email ynerant@ynerant.fr --token token re6st-conf --registry http://172.17.0.1 --dir $dir/certs/node$i --email ynerant@ynerant.fr --token token
sleep 15 sleep 15
fi fi
tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --mount --net tmux split-window -h -t ns$i nsenter -t `cat $dir/run/node$i.pid` --net
subnet=1 subnet=1
if [[ $i == 4 ]]; then subnet=2; fi if [[ $i == 4 ]]; then subnet=2; fi
tmux send-keys -t ns$i "re6stnet --registry http://10.2.1.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid --default" Enter tmux send-keys -t ns$i "re6stnet --registry http://172.17.0.1 --ip 172.17.$subnet.$i --ca $dir/certs/node$i/ca.crt --cert $dir/certs/node$i/cert.crt --key $dir/certs/node$i/cert.key --state $dir/states/node$i --log $dir/log/node$i --run $dir/run/re6stnet-node$i.pid" Enter
tmux select-pane -t ns$i -L tmux select-pane -t ns$i -L
done done