mirror of
https://github.com/firehol/firehol.git
synced 2024-06-28 18:02:33 +00:00
173 lines
5.3 KiB
Plaintext
173 lines
5.3 KiB
Plaintext
# This definition sets up a network according to the diagram below which
|
|
# covers a multitude of possible scenarios.
|
|
#
|
|
# Install graphviz to produce a nice graph:
|
|
# vnetbuild vnetbuild-complex.conf graphviz vnetbuild-complex.png
|
|
#
|
|
# To get iptables logs for "fw", ulogd must be installed. A sed command
|
|
# is configured which will create a custom logfile from the system standard
|
|
# /etc/ulogd.conf - this may need editing to match your system.
|
|
#
|
|
# Run:
|
|
# sudo vnetbuild vnetbuild.conf start
|
|
#
|
|
# A network namespace is created for each host and switch to keep everything
|
|
# isolated. You can apply different networking setups including routing,
|
|
# firewalling and QOS in every namespace. Add more "exec" commands to
|
|
# automate this at start time.
|
|
#
|
|
# Note that there are no virtual machines in use, all processing is done
|
|
# on the host but with separate views of what the network looks like.
|
|
#
|
|
# The name of a host or switch in the configuration is the name used for
|
|
# the namespace making it easy to use "ip netns exec" to specify where
|
|
# commands should run. Examples:
|
|
#
|
|
# Tcpdump traffic passing through a switch
|
|
# sudo ip netns exec sw0 tcpdump -i switch -w capfile
|
|
#
|
|
# Tcpdump traffic seen by a device on a host
|
|
# sudo ip netns exec host12 tcpdump -i veth0 -w capfile
|
|
#
|
|
# Ping "from" host01 (10.0.0.1) to host12 via switch sw0 and hosts fw and gw:
|
|
# sudo ip netns exec host01 ping 192.168.2.12
|
|
#
|
|
# Start netcat on port 23 of host52 to receive telnet:
|
|
# sudo ip netns exec host52 nc -l -p 23
|
|
#
|
|
# In a different terminal, telnet "from" host21 (10.0.0.1) to host52
|
|
# via fw, switches and bridges:
|
|
# sudo ip netns exec host21 telnet 10.45.45.52
|
|
#
|
|
# Start firehol in fw host namespace:
|
|
# sudo ip netns exec fw firehol some-firehol.conf start
|
|
#
|
|
# Panic firehol in fw host namespace (now previous commands are blocked):
|
|
# sudo ip netns exec fw firehol panic
|
|
#
|
|
# Key:
|
|
# hostname
|
|
# [device] (hosts have just a [veth0] unless otherwise noted)
|
|
# (switch)
|
|
#
|
|
# host21 +- host01 host41
|
|
# | | |
|
|
# | host22 +- host02 | host42
|
|
# | | | (sw0) | |
|
|
# | | . . . . . . . . | . . . . . . . . . | |
|
|
# | | . [veth0] . | |
|
|
# +-----+----[vbr0eth2] | [vbr1eth4]----+-----+
|
|
# (sw2) . | | fw | . (sw4)
|
|
# . + [vbr0]--+---[vbr1] + .
|
|
# (sw3) . | | | . (sw5)
|
|
# +-----+----[vbr0eth3] | [vbr1eth5]----+-----+
|
|
# | | . [veth1] . | |
|
|
# | | . . . . . . . . | . . . . . . . . . | |
|
|
# | | | (<direct>) | |
|
|
# | host31 [veth0] | host52
|
|
# | gw |
|
|
# host32 [veth1] [veth2] host51
|
|
# (<direct>) / \ (<direct>)
|
|
# host11 host12
|
|
|
|
host fw
|
|
dev veth0 10.0.0.254/24
|
|
dev veth1 10.1.1.254/24
|
|
dev vbr0eth2
|
|
dev vbr0eth3
|
|
dev vbr1eth4
|
|
dev vbr1eth5
|
|
bridgedev vbr0 vbr0eth2 vbr0eth3 10.23.23.254/24
|
|
pre_up vbr0 echo 2 > /sys/class/net/vbr0/bridge/stp_state
|
|
bridgedev vbr1 vbr1eth4 vbr1eth5 10.45.45.254/24
|
|
pre_up vbr1 echo 2 > /sys/class/net/vbr0/bridge/stp_state
|
|
route default via 10.1.1.253
|
|
exec echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
exec sed 's:/var/log/ulog/syslogemu.log:/var/log/ulog/fw.log:' /etc/ulogd.conf > $NSTMP/ulogd.conf
|
|
exec /usr/sbin/ulogd -d -c $NSTMP/ulogd.conf
|
|
|
|
host gw
|
|
dev veth0 fw/veth1 10.1.1.253/24
|
|
dev veth1 192.168.1.254/24
|
|
dev veth2 192.168.2.254/24
|
|
route default via 10.1.1.254
|
|
exec echo 1 > /proc/sys/net/ipv4/ip_forward
|
|
|
|
host host01
|
|
dev veth0 10.0.0.1/24
|
|
route default via 10.0.0.254
|
|
|
|
host host02
|
|
dev veth0 10.0.0.2/24
|
|
route default via 10.0.0.254
|
|
|
|
host host11
|
|
dev veth0 gw/veth1 192.168.1.11/24
|
|
route default via 192.168.1.254
|
|
|
|
host host12
|
|
dev veth0 gw/veth2 192.168.2.12/24
|
|
route default via 192.168.2.254
|
|
|
|
host host21
|
|
dev veth0 10.23.23.21/24
|
|
route default via 10.23.23.254
|
|
|
|
host host22
|
|
dev veth0 10.23.23.22/24
|
|
route default via 10.23.23.254
|
|
|
|
host host31
|
|
dev veth0 10.23.23.31/24
|
|
route default via 10.23.23.254
|
|
|
|
host host32
|
|
dev veth0 10.23.23.32/24
|
|
route default via 10.23.23.254
|
|
|
|
host host41
|
|
dev veth0 10.45.45.41/24
|
|
route default via 10.45.45.254
|
|
|
|
host host42
|
|
dev veth0 10.45.45.42/24
|
|
route default via 10.45.45.254
|
|
|
|
host host51
|
|
dev veth0 10.45.45.51/24
|
|
route default via 10.45.45.254
|
|
|
|
host host52
|
|
dev veth0 10.45.45.52/24
|
|
route default via 10.45.45.254
|
|
|
|
switch sw0
|
|
pre_up switch echo 2 > /sys/class/net/switch/bridge/stp_state
|
|
dev d01 fw/veth0
|
|
dev d02 host01/veth0
|
|
dev d03 host02/veth0
|
|
|
|
switch sw2
|
|
pre_up switch echo 2 > /sys/class/net/switch/bridge/stp_state
|
|
dev d01 fw/vbr0eth2
|
|
dev d02 host21/veth0
|
|
dev d03 host22/veth0
|
|
|
|
switch sw3
|
|
pre_up switch echo 2 > /sys/class/net/switch/bridge/stp_state
|
|
dev d01 fw/vbr0eth3
|
|
dev d02 host31/veth0
|
|
dev d03 host32/veth0
|
|
|
|
switch sw4
|
|
pre_up switch echo 2 > /sys/class/net/switch/bridge/stp_state
|
|
dev d01 fw/vbr1eth4
|
|
dev d02 host41/veth0
|
|
dev d03 host42/veth0
|
|
|
|
switch sw5
|
|
pre_up switch echo 2 > /sys/class/net/switch/bridge/stp_state
|
|
dev d01 fw/vbr1eth5
|
|
dev d02 host51/veth0
|
|
dev d03 host52/veth0
|