Skip to content
Snippets Groups Projects
Commit 694f30c9 authored by David Schmitz's avatar David Schmitz
Browse files

feature/exabgp_with_docker-compose: extend docker container set to include...

feature/exabgp_with_docker-compose: extend docker container set to include attacker and victim container for test traffic to block
parent f75bcc1b
No related branches found
No related tags found
No related merge requests found
...@@ -13,7 +13,8 @@ services: ...@@ -13,7 +13,8 @@ services:
env_file: env_file:
- ./docker-compose/.env_fod - ./docker-compose/.env_fod
networks: networks:
fod: mgmt:
xfod:
ipv4_address: 10.197.36.2 ipv4_address: 10.197.36.2
volumes: volumes:
- ./:/opt/FOD - ./:/opt/FOD
...@@ -31,20 +32,80 @@ services: ...@@ -31,20 +32,80 @@ services:
env_file: env_file:
- ./docker-compose/.env_freertr - ./docker-compose/.env_freertr
networks: networks:
fod: mgmt:
ipv4_address: 10.197.36.3 nhost1:
ipv4_address: 10.1.10.3
nhost2:
ipv4_address: 10.2.10.3
xfod:
ipv4_address: 10.197.36.3
depends_on: depends_on:
- fod - fod
volumes: volumes:
- freertr:/opt - freertr:/opt
host1:
build:
context: docker-compose
dockerfile: Dockerfile_HOST1
container_name: host1
privileged: true
env_file:
- ./docker-compose/.env_host1
networks:
mgmt:
nhost1:
ipv4_address: 10.1.10.11
depends_on:
- fod
#volumes:
# - freertr:/opt
host2:
build:
context: docker-compose
dockerfile: Dockerfile_HOST2
container_name: host2
privileged: true
env_file:
- ./docker-compose/.env_host2
networks:
mgmt:
nhost2:
ipv4_address: 10.2.10.12
depends_on:
- fod
#volumes:
# - freertr:/opt
networks: networks:
fod: mgmt:
driver: bridge
ipam:
driver: default
config:
- subnet: 11.11.11.0/24
xfod:
driver: bridge driver: bridge
ipam: ipam:
driver: default driver: default
config: config:
- subnet: 10.197.36.0/28 - subnet: 10.197.36.0/28
nhost1:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.1.10.0/24
nhost2:
driver: bridge
ipam:
driver: default
config:
- subnet: 10.2.10.0/24
volumes: volumes:
freertr: freertr:
FROM debian:sid FROM debian:sid
LABEL maintainer="FOD" LABEL maintainer="FOD"
ENV DEBIAN_FRONTEND=noninteractive ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim RUN apt-get update -y && apt-get install -y locales wget netcat-openbsd less man vim iputils-ping strace ltrace
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \ RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
dpkg-reconfigure --frontend=noninteractive locales && \ dpkg-reconfigure --frontend=noninteractive locales && \
update-locale LANG=en_US.UTF-8 update-locale LANG=en_US.UTF-8
......
#FROM floui/tiny-net-tools:latest
FROM ubuntu:latest
RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
#RUN ifconfig -a
#CMD /bin/sh -c 'route add default gw 10.1.10.3; while true; do sleep 1000000; done'
CMD /bin/sh -c 'route add -net 10.2.10.0/24 gw 10.1.10.3; while true; do sleep 1000000; done'
#FROM floui/tiny-net-tools:latest
FROM ubuntu:latest
RUN apt-get update -yy && DEBIAN_FRONTEND="noninteractive" apt-get install -yy net-tools iputils-ping tcpdump tshark hping3 nmap iperf
#RUN ifconfig -a
#CMD /bin/sh -c 'route add default gw 10.2.10.3; while true; do sleep 1000000; done'
CMD /bin/sh -c 'route add -net 10.1.10.0/24 gw 10.2.10.3; while true; do sleep 1000000; done'
= Build+Run FoD+Freertr+Attack/VictimHosts docker-compose
in FoD main dir of git checkout:
docker network prune # to be sure old network definitions are not conflicting
docker-compose build
docker-compose up
./docker-compose/freertr_disable_offload.sh
= Test Blocking of Attack traffic in running docker containers started by docker-compose
# test attack traffic from host1 to host2
docker exec -ti host1 ping 10.2.10.12
add rule to block icmp traffic from 10.1.10.11 to 10.2.10.12
# investigate status on freertr
docker exec -ti freertr telnet 127.1 2323
# run show command
docker exec -ti freertr sh -c '{ echo "show ipv4 bgp 1 flowspec database"; echo "show policy-map flowspec CORE ipv4"; echo exit; } | netcat 127.1 2323'
...@@ -76,6 +76,38 @@ interface loopback2 ...@@ -76,6 +76,38 @@ interface loopback2
no log-link-change no log-link-change
exit exit
! !
interface ethernet255
mgmt interface
vrf forwarding OOB
no shutdown
no log-link-change
exit
!
!
interface ethernet1
description link to host1
vrf forwarding CORE
ipv4 address 10.1.10.3 255.255.255.0
no shutdown
no log-link-change
exit
!
interface ethernet2
description link to host2
vrf forwarding CORE
ipv4 address 10.2.10.3 255.255.255.0
no shutdown
no log-link-change
exit
!
interface ethernet3
interface to FoD
vrf forwarding CORE
ipv4 address 10.197.36.3 255.255.255.0
no shutdown
no log-link-change
exit
!
!interface ethernet1 !interface ethernet1
! description veth pair end point to crian testbed ! description veth pair end point to crian testbed
! lldp enable ! lldp enable
...@@ -99,8 +131,8 @@ interface loopback2 ...@@ -99,8 +131,8 @@ interface loopback2
! exit ! exit
! !
router bgp4 1 router bgp4 1
!vrf CORE vrf CORE
vrf OOB !vrf OOB
local-as 1 local-as 1
router-id 4.4.4.1 router-id 4.4.4.1
no safe-ebgp no safe-ebgp
......
#!/bin/bash #!/bin/bash
IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}') set -x
ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
for container_interface in 0 1 2 3; do
#IFINDEX=$(docker exec freertr cat /sys/class/net/eth0/iflink)
IFINDEX=$(docker exec freertr cat "/sys/class/net/eth$container_interface/iflink")
IFNAME=$(ip a | grep ^${IFINDEX} | awk -F\: '{print $2}' | awk -F\@ '{print $1}')
ethtool -k $IFNAME | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K $IFNAME "$key" off; done
done
#!/bin/bash #!/bin/bash
ethtool -k eth0 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth0 "$key" off; done ethtool -k eth0 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth0 "$key" off; done
ethtool -k eth1 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth1 "$key" off; done
ethtool -k eth2 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth2 "$key" off; done
ethtool -k eth3 | awk '$2=="on" { sub(/:$/, "", $1); print $1; }' | while read key; do ethtool -K eth3 "$key" off; done
/rtr/hwdet-init.sh /rtr/hwdet-init.sh
/rtr/hwdet-mgmt.sh /rtr/hwdet-mgmt.sh
ip addr flush dev eth1
ip addr flush dev eth2
ip addr flush dev eth3
exec java -Xmx1024m -jar /rtr/rtr.jar routerc /rtr/run/conf/rtr- exec java -Xmx1024m -jar /rtr/rtr.jar routerc /rtr/run/conf/rtr-
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment