feature/exabgp_with_docker-compose: extend docker container set to include...

feature/exabgp_with_docker-compose: extend docker container set to include attacker and victim container for test traffic to block

feature/exabgp_with_docker-compose: extend docker container set to include...
031e7b17 · David Schmitz · 76b561fc · 031e7b17 · 031e7b17 · 031e7b17
Commit 031e7b17 authored 2 years ago by David Schmitz
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,7 +13,8 @@ services:
    env_file:
        - ./docker-compose/.env_fod
    networks:
-      fod:
+      mgmt:
+      xfod:
        ipv4_address: 10.197.36.2
    volumes:
        - ./:/opt/FOD
@@ -31,20 +32,80 @@ services:
    env_file:
        - ./docker-compose/.env_freertr
    networks:
-      fod:
-        ipv4_address: 10.197.36.3
+      mgmt:
+      nhost1:
+              ipv4_address: 10.1.10.3
+      nhost2:
+              ipv4_address: 10.2.10.3
+      xfod:
+              ipv4_address: 10.197.36.3
    depends_on:
        - fod
    volumes:
        - freertr:/opt

+  host1:
+    build:
+        context: docker-compose
+        dockerfile: Dockerfile_HOST1
+    container_name: host1
+    privileged: true
+    env_file:
+        - ./docker-compose/.env_host1
+    networks:
+      mgmt:
+      nhost1:
+             ipv4_address: 10.1.10.11
+    depends_on:
+        - fod
+    #volumes:
+    #    - freertr:/opt
+
+  host2:
+    build:
+        context: docker-compose
+        dockerfile: Dockerfile_HOST2
+    container_name: host2
+    privileged: true
+    env_file:
+        - ./docker-compose/.env_host2
+    networks:
+      mgmt:
+      nhost2:
+             ipv4_address: 10.2.10.12
+    depends_on:
+        - fod
+    #volumes:
+    #    - freertr:/opt
+
 networks:
-  fod:
+  mgmt:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+        - subnet: 11.11.11.0/24
+
+  xfod:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 10.197.36.0/28

+  nhost1:
+    driver: bridge
+    ipam:
+      driver: default
+      config:
+              - subnet: 10.1.10.0/24
+
+  nhost2:
+    driver: bridge
+    ipam:
+       driver: default
+       config:
+               - subnet: 10.2.10.0/24
+
 volumes:
  freertr:
--- a/docker-compose/.env_host1
+++ b/docker-compose/.env_host1
--- a/docker-compose/.env_host2
+++ b/docker-compose/.env_host2
--- a/docker-compose/Dockerfile_FREERTR
+++ b/docker-compose/Dockerfile_FREERTR
 FROM debian:sid
 LABEL maintainer="FOD"
 ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim
+RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim iputils-ping strace ltrace
 RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=en_US.UTF-8

--- a/docker-compose/Dockerfile_HOST1
+++ b/docker-compose/Dockerfile_HOST1
+
+#FROM floui/tiny-net-tools:latest
+FROM ubuntu:latest
+
+RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
+
+#RUN ifconfig -a
+
+#CMD /bin/sh -c 'route add default gw 10.1.10.3; while true; do sleep 1000000; done'
+CMD /bin/sh -c 'route add -net 10.2.10.0/24 gw 10.1.10.3; while true; do sleep 1000000; done'
+
--- a/docker-compose/Dockerfile_HOST2
+++ b/docker-compose/Dockerfile_HOST2
+
+#FROM floui/tiny-net-tools:latest
+FROM ubuntu:latest
+
+RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
+
+#RUN ifconfig -a
+
+#CMD /bin/sh -c 'route add default gw 10.2.10.3; while true; do sleep 1000000; done'
+CMD /bin/sh -c 'route add -net 10.1.10.0/24 gw 10.2.10.3; while true; do sleep 1000000; done'
+
--- a/docker-compose/README.txt
+++ b/docker-compose/README.txt
+
+= Build+Run FoD+Freertr+Attack/VictimHosts docker-compose
+
+in FoD main dir of git checkout:
+
+docker network prune # to be sure old network definitions are not conflicting
+docker-compose build
+docker-compose up 
+
+./docker-compose/freertr_disable_offload.sh
+
+= Test Blocking of Attack traffic in running docker containers started by docker-compose
+
+# test attack traffic from host1 to host2
+docker exec -ti host1 ping 10.2.10.12
+
+add rule to block icmp traffic from 10.1.10.11 to 10.2.10.12
+
+# investigate status on freertr
+docker exec -ti freertr telnet 127.1 2323
+
+# run show command
+docker exec -ti freertr sh -c '{ echo "show ipv4 bgp 1 flowspec database"; echo "show policy-map flowspec CORE ipv4"; echo exit; } | netcat 127.1 2323'
+
+
+
--- a/docker-compose/freertr.cfg
+++ b/docker-compose/freertr.cfg
@@ -76,6 +76,38 @@ interface loopback2
 no log-link-change
 exit
 !
+interface ethernet255
+ mgmt interface
+ vrf forwarding OOB
+ no shutdown
+ no log-link-change
+ exit
+!
+!
+interface ethernet1
+ description link to host1
+ vrf forwarding CORE
+ ipv4 address 10.1.10.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
+interface ethernet2
+ description link to host2
+ vrf forwarding CORE
+ ipv4 address 10.2.10.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
+interface ethernet3
+ interface to FoD
+ vrf forwarding CORE
+ ipv4 address 10.197.36.3 255.255.255.0
+ no shutdown
+ no log-link-change
+ exit
+!
 !interface ethernet1
 ! description veth pair end point to crian testbed
 ! lldp enable
@@ -99,8 +131,8 @@ interface loopback2
 ! exit
 !
 router bgp4 1
- !vrf CORE
- vrf OOB
+ vrf CORE
+ !vrf OOB
 local-as 1
 router-id 4.4.4.1
 no safe-ebgp

--- a/docker-compose/freertr_disable_offload.sh
+++ b/docker-compose/freertr_disable_offload.sh
 #!/bin/bash
-IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
-IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}')
-ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
+
+set -x
+
+for container_interface in 0 1 2 3; do
+  #IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
+  IFINDEX=$(docker exec freertr cat "/sys/class/net/eth$container_interface/iflink")
+  IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}')
+  ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
+done
+
--- a/docker-compose/freertr_setup_environment.sh
+++ b/docker-compose/freertr_setup_environment.sh
 #!/bin/bash

 ethtool -k eth0 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth0 "$key" off; done
+ethtool -k eth1 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth1 "$key" off; done
+ethtool -k eth2 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth2 "$key" off; done
+ethtool -k eth3 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth3 "$key" off; done

 /rtr/hwdet-init.sh

 /rtr/hwdet-mgmt.sh

+ip addr flush dev eth1
+ip addr flush dev eth2
+ip addr flush dev eth3
+
 exec java -Xmx1024m -jar /rtr/rtr.jar routerc /rtr/run/conf/rtr-