From 031e7b17c1187b8aee6e7be0680b88c78b0efda6 Mon Sep 17 00:00:00 2001
From: David Schmitz <schmitz@lrz.de>
Date: Mon, 26 Jun 2023 14:47:38 +0000
Subject: [PATCH] feature/exabgp_with_docker-compose: extend docker container
set to include attacker and victim container for test traffic to block
---
docker-compose.yml | 69 +++++++++++++++++++--
docker-compose/.env_host1 | 0
docker-compose/.env_host2 | 0
docker-compose/Dockerfile_FREERTR | 2 +-
docker-compose/Dockerfile_HOST1 | 11 ++++
docker-compose/Dockerfile_HOST2 | 11 ++++
docker-compose/README.txt | 26 ++++++++
docker-compose/freertr.cfg | 36 ++++++++++-
docker-compose/freertr_disable_offload.sh | 13 +++-
docker-compose/freertr_setup_environment.sh | 7 +++
10 files changed, 165 insertions(+), 10 deletions(-)
create mode 100644 docker-compose/.env_host1
create mode 100644 docker-compose/.env_host2
create mode 100644 docker-compose/Dockerfile_HOST1
create mode 100644 docker-compose/Dockerfile_HOST2
create mode 100644 docker-compose/README.txt
diff --git a/docker-compose.yml b/docker-compose.yml
index 549581d7..8c9ead0e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,8 @@ services:
env_file:
- ./docker-compose/.env_fod
networks:
- fod:
+ mgmt:
+ xfod:
ipv4_address: 10.197.36.2
volumes:
- ./:/opt/FOD
@@ -31,20 +32,80 @@ services:
env_file:
- ./docker-compose/.env_freertr
networks:
- fod:
- ipv4_address: 10.197.36.3
+ mgmt:
+ nhost1:
+ ipv4_address: 10.1.10.3
+ nhost2:
+ ipv4_address: 10.2.10.3
+ xfod:
+ ipv4_address: 10.197.36.3
depends_on:
- fod
volumes:
- freertr:/opt
+ host1:
+ build:
+ context: docker-compose
+ dockerfile: Dockerfile_HOST1
+ container_name: host1
+ privileged: true
+ env_file:
+ - ./docker-compose/.env_host1
+ networks:
+ mgmt:
+ nhost1:
+ ipv4_address: 10.1.10.11
+ depends_on:
+ - fod
+ #volumes:
+ # - freertr:/opt
+
+ host2:
+ build:
+ context: docker-compose
+ dockerfile: Dockerfile_HOST2
+ container_name: host2
+ privileged: true
+ env_file:
+ - ./docker-compose/.env_host2
+ networks:
+ mgmt:
+ nhost2:
+ ipv4_address: 10.2.10.12
+ depends_on:
+ - fod
+ #volumes:
+ # - freertr:/opt
+
networks:
- fod:
+ mgmt:
+ driver: bridge
+ ipam:
+ driver: default
+ config:
+ - subnet: 11.11.11.0/24
+
+ xfod:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.197.36.0/28
+ nhost1:
+ driver: bridge
+ ipam:
+ driver: default
+ config:
+ - subnet: 10.1.10.0/24
+
+ nhost2:
+ driver: bridge
+ ipam:
+ driver: default
+ config:
+ - subnet: 10.2.10.0/24
+
volumes:
freertr:
diff --git a/docker-compose/.env_host1 b/docker-compose/.env_host1
new file mode 100644
index 00000000..e69de29b
diff --git a/docker-compose/.env_host2 b/docker-compose/.env_host2
new file mode 100644
index 00000000..e69de29b
diff --git a/docker-compose/Dockerfile_FREERTR b/docker-compose/Dockerfile_FREERTR
index 976bb4a7..e9c23db2 100644
--- a/docker-compose/Dockerfile_FREERTR
+++ b/docker-compose/Dockerfile_FREERTR
@@ -1,7 +1,7 @@
FROM debian:sid
LABEL maintainer="FOD"
ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim
+RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim iputils-ping strace ltrace
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
dpkg-reconfigure --frontend=noninteractive locales && \
update-locale LANG=en_US.UTF-8
diff --git a/docker-compose/Dockerfile_HOST1 b/docker-compose/Dockerfile_HOST1
new file mode 100644
index 00000000..9a6aa39b
--- /dev/null
+++ b/docker-compose/Dockerfile_HOST1
@@ -0,0 +1,11 @@
+
+#FROM floui/tiny-net-tools:latest
+FROM ubuntu:latest
+
+RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
+
+#RUN ifconfig -a
+
+#CMD /bin/sh -c 'route add default gw 10.1.10.3; while true; do sleep 1000000; done'
+CMD /bin/sh -c 'route add -net 10.2.10.0/24 gw 10.1.10.3; while true; do sleep 1000000; done'
+
diff --git a/docker-compose/Dockerfile_HOST2 b/docker-compose/Dockerfile_HOST2
new file mode 100644
index 00000000..755d4ae8
--- /dev/null
+++ b/docker-compose/Dockerfile_HOST2
@@ -0,0 +1,11 @@
+
+#FROM floui/tiny-net-tools:latest
+FROM ubuntu:latest
+
+RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
+
+#RUN ifconfig -a
+
+#CMD /bin/sh -c 'route add default gw 10.2.10.3; while true; do sleep 1000000; done'
+CMD /bin/sh -c 'route add -net 10.1.10.0/24 gw 10.2.10.3; while true; do sleep 1000000; done'
+
diff --git a/docker-compose/README.txt b/docker-compose/README.txt
new file mode 100644
index 00000000..37e43f17
--- /dev/null
+++ b/docker-compose/README.txt
@@ -0,0 +1,26 @@
+
+= Build+Run FoD+Freertr+Attack/VictimHosts docker-compose
+
+in FoD main dir of git checkout:
+
+docker network prune # to be sure old network definitions are not conflicting
+docker-compose build
+docker-compose up
+
+./docker-compose/freertr_disable_offload.sh
+
+= Test Blocking of Attack traffic in running docker containers started by docker-compose
+
+# test attack traffic from host1 to host2
+docker exec -ti host1 ping 10.2.10.12
+
+add rule to block icmp traffic from 10.1.10.11 to 10.2.10.12
+
+# investigate status on freertr
+docker exec -ti freertr telnet 127.1 2323
+
+# run show command
+docker exec -ti freertr sh -c '{ echo "show ipv4 bgp 1 flowspec database"; echo "show policy-map flowspec CORE ipv4"; echo exit; } | netcat 127.1 2323'
+
+
+
diff --git a/docker-compose/freertr.cfg b/docker-compose/freertr.cfg
index 173a03ec..5b6d1a6d 100644
--- a/docker-compose/freertr.cfg
+++ b/docker-compose/freertr.cfg
@@ -76,6 +76,38 @@ interface loopback2
no log-link-change
exit
!
+interface ethernet255
+ mgmt interface
+ vrf forwarding OOB
+ no shutdown
+ no log-link-change
+ exit
+!
+!
+interface ethernet1
+ description link to host1
+ vrf forwarding CORE
+ ipv4 address 10.1.10.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
+interface ethernet2
+ description link to host2
+ vrf forwarding CORE
+ ipv4 address 10.2.10.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
+interface ethernet3
+ interface to FoD
+ vrf forwarding CORE
+ ipv4 address 10.197.36.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
!interface ethernet1
! description veth pair end point to crian testbed
! lldp enable
@@ -99,8 +131,8 @@ interface loopback2
! exit
!
router bgp4 1
- !vrf CORE
- vrf OOB
+ vrf CORE
+ !vrf OOB
local-as 1
router-id 4.4.4.1
no safe-ebgp
diff --git a/docker-compose/freertr_disable_offload.sh b/docker-compose/freertr_disable_offload.sh
index 23b0c358..0ae53649 100755
--- a/docker-compose/freertr_disable_offload.sh
+++ b/docker-compose/freertr_disable_offload.sh
@@ -1,4 +1,11 @@
#!/bin/bash
-IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
-IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}')
-ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
+
+set -x
+
+for container_interface in 0 1 2 3; do
+ #IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
+ IFINDEX=$(docker exec freertr cat "/sys/class/net/eth$container_interface/iflink")
+ IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}')
+ ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
+done
+
diff --git a/docker-compose/freertr_setup_environment.sh b/docker-compose/freertr_setup_environment.sh
index 2acd1716..0d71f5fd 100755
--- a/docker-compose/freertr_setup_environment.sh
+++ b/docker-compose/freertr_setup_environment.sh
@@ -1,9 +1,16 @@
#!/bin/bash
ethtool -k eth0 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth0 "$key" off; done
+ethtool -k eth1 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth1 "$key" off; done
+ethtool -k eth2 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth2 "$key" off; done
+ethtool -k eth3 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth3 "$key" off; done
/rtr/hwdet-init.sh
/rtr/hwdet-mgmt.sh
+ip addr flush dev eth1
+ip addr flush dev eth2
+ip addr flush dev eth3
+
exec java -Xmx1024m -jar /rtr/rtr.jar routerc /rtr/run/conf/rtr-
--
GitLab