From b7603e7521aeab308ce54599619d2f9be291a924 Mon Sep 17 00:00:00 2001 From: root Date: Thu, 20 Aug 2020 23:01:52 +1000 Subject: [PATCH] Just before homework on bgp-intro --- H10/config | 11 ----- H12/config | 11 ----- H13/config | 6 --- H19/config | 25 ++++++++++ H19/rootfs/etc/bird/bird.conf | 1 + H19/rootfs/etc/bird/bird6.conf | 1 + H19/rootfs/etc/hosts | 5 ++ H19/rootfs/etc/network/interfaces | 14 ++++++ H19/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ H34/config | 25 ++++++++++ H34/rootfs/etc/bird/bird.conf | 1 + H34/rootfs/etc/bird/bird6.conf | 1 + H34/rootfs/etc/hosts | 5 ++ H34/rootfs/etc/network/interfaces | 14 ++++++ H34/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ H5/config | 11 ----- H6/config | 25 ++++++++++ H6/rootfs/etc/bird/bird.conf | 1 + H6/rootfs/etc/bird/bird6.conf | 1 + H6/rootfs/etc/hosts | 5 ++ H6/rootfs/etc/network/interfaces | 14 ++++++ H6/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ H7/config | 25 ++++++++++ H7/rootfs/etc/bird/bird.conf | 1 + H7/rootfs/etc/bird/bird6.conf | 1 + H7/rootfs/etc/hosts | 5 ++ H7/rootfs/etc/network/interfaces | 14 ++++++ H7/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ H8/config | 11 ----- R0/config | 33 +++++++++++++ R0/rootfs/etc/bird/bird.conf | 26 ++++++++++ R0/rootfs/etc/bird/bird6.conf | 25 ++++++++++ R0/rootfs/etc/hosts | 5 ++ R0/rootfs/etc/network/interfaces | 24 ++++++++++ R0/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ R1/config | 39 +++++---------- R1/rootfs/etc/bird/bird.conf | 47 +++++------------- R1/rootfs/etc/bird/bird6.conf | 51 +++++++------------- R1/rootfs/etc/network/interfaces | 32 ++++++++----- R10/config | 33 +++++++++++++ R10/rootfs/etc/bird/bird.conf | 59 +++++++++++++++++++++++ R10/rootfs/etc/bird/bird6.conf | 54 +++++++++++++++++++++ R10/rootfs/etc/hosts | 5 ++ R10/rootfs/etc/network/interfaces | 24 ++++++++++ R10/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ R11/config | 33 +++++++++++++ R11/rootfs/etc/bird/bird.conf | 26 ++++++++++ R11/rootfs/etc/bird/bird6.conf | 25 ++++++++++ R11/rootfs/etc/hosts | 5 ++ R11/rootfs/etc/network/interfaces | 24 ++++++++++ R11/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ R12/config | 33 +++++++++++++ R12/rootfs/etc/bird/bird.conf | 26 ++++++++++ R12/rootfs/etc/bird/bird6.conf | 25 ++++++++++ R12/rootfs/etc/hosts | 5 ++ R12/rootfs/etc/network/interfaces | 24 ++++++++++ R12/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ R2/config | 27 ----------- R3/config | 33 +++++++++++++ R3/rootfs/etc/bird/bird.conf | 58 +++++++++++++++++++++++ R3/rootfs/etc/bird/bird6.conf | 62 ++++++++++++++++++++++++ R3/rootfs/etc/hosts | 5 ++ R3/rootfs/etc/network/interfaces | 24 ++++++++++ R3/rootfs/etc/sysctl.conf | 79 +++++++++++++++++++++++++++++++ R5/config | 18 ------- R6/config | 18 ------- 66 files changed, 1652 insertions(+), 221 deletions(-) create mode 100644 H19/config create mode 100644 H19/rootfs/etc/bird/bird.conf create mode 100644 H19/rootfs/etc/bird/bird6.conf create mode 100644 H19/rootfs/etc/hosts create mode 100644 H19/rootfs/etc/network/interfaces create mode 100644 H19/rootfs/etc/sysctl.conf create mode 100644 H34/config create mode 100644 H34/rootfs/etc/bird/bird.conf create mode 100644 H34/rootfs/etc/bird/bird6.conf create mode 100644 H34/rootfs/etc/hosts create mode 100644 H34/rootfs/etc/network/interfaces create mode 100644 H34/rootfs/etc/sysctl.conf create mode 100644 H6/config create mode 100644 H6/rootfs/etc/bird/bird.conf create mode 100644 H6/rootfs/etc/bird/bird6.conf create mode 100644 H6/rootfs/etc/hosts create mode 100644 H6/rootfs/etc/network/interfaces create mode 100644 H6/rootfs/etc/sysctl.conf create mode 100644 H7/config create mode 100644 H7/rootfs/etc/bird/bird.conf create mode 100644 H7/rootfs/etc/bird/bird6.conf create mode 100644 H7/rootfs/etc/hosts create mode 100644 H7/rootfs/etc/network/interfaces create mode 100644 H7/rootfs/etc/sysctl.conf create mode 100644 R0/config create mode 100644 R0/rootfs/etc/bird/bird.conf create mode 100644 R0/rootfs/etc/bird/bird6.conf create mode 100644 R0/rootfs/etc/hosts create mode 100644 R0/rootfs/etc/network/interfaces create mode 100644 R0/rootfs/etc/sysctl.conf create mode 100644 R10/config create mode 100644 R10/rootfs/etc/bird/bird.conf create mode 100644 R10/rootfs/etc/bird/bird6.conf create mode 100644 R10/rootfs/etc/hosts create mode 100644 R10/rootfs/etc/network/interfaces create mode 100644 R10/rootfs/etc/sysctl.conf create mode 100644 R11/config create mode 100644 R11/rootfs/etc/bird/bird.conf create mode 100644 R11/rootfs/etc/bird/bird6.conf create mode 100644 R11/rootfs/etc/hosts create mode 100644 R11/rootfs/etc/network/interfaces create mode 100644 R11/rootfs/etc/sysctl.conf create mode 100644 R12/config create mode 100644 R12/rootfs/etc/bird/bird.conf create mode 100644 R12/rootfs/etc/bird/bird6.conf create mode 100644 R12/rootfs/etc/hosts create mode 100644 R12/rootfs/etc/network/interfaces create mode 100644 R12/rootfs/etc/sysctl.conf create mode 100644 R3/config create mode 100644 R3/rootfs/etc/bird/bird.conf create mode 100644 R3/rootfs/etc/bird/bird6.conf create mode 100644 R3/rootfs/etc/hosts create mode 100644 R3/rootfs/etc/network/interfaces create mode 100644 R3/rootfs/etc/sysctl.conf diff --git a/H10/config b/H10/config index 93ad611..0f375ab 100644 --- a/H10/config +++ b/H10/config @@ -15,14 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/H10/rootfs lxc.uts.name = H10 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1082 -lxc.net.0.veth.pair = h10.1082 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:08:02:0a -lxc.net.0.ipv4.address = 10.8.2.10/24 -lxc.net.0.ipv4.gateway = 10.8.2.1 -lxc.net.0.ipv6.address = 2001:db8:2501:82::10/64 -lxc.net.0.ipv6.gateway = 2001:db8:2501:82::1 diff --git a/H12/config b/H12/config index 39f9a69..63bc865 100644 --- a/H12/config +++ b/H12/config @@ -15,14 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/H12/rootfs lxc.uts.name = H12 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1050 -lxc.net.0.veth.pair = h12.1050 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:32:01:0c -lxc.net.0.ipv4.address = 10.50.1.12/24 -lxc.net.0.ipv4.gateway = 10.50.1.1 -lxc.net.0.ipv6.address = 2001:db8:2501:501::12/64 -lxc.net.0.ipv6.gateway = 2001:db8:2501:501::1 diff --git a/H13/config b/H13/config index 5ef84ad..e5dd182 100644 --- a/H13/config +++ b/H13/config @@ -15,10 +15,4 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/H13/rootfs lxc.uts.name = H13 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1050 -lxc.net.0.veth.pair = h13.1050 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch diff --git a/H19/config b/H19/config new file mode 100644 index 0000000..a4b7278 --- /dev/null +++ b/H19/config @@ -0,0 +1,25 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/H19/rootfs +lxc.uts.name = H19 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan48 +lxc.net.0.veth.pair = h19.48 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:34:13 diff --git a/H19/rootfs/etc/bird/bird.conf b/H19/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H19/rootfs/etc/bird/bird.conf @@ -0,0 +1 @@ + diff --git a/H19/rootfs/etc/bird/bird6.conf b/H19/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H19/rootfs/etc/bird/bird6.conf @@ -0,0 +1 @@ + diff --git a/H19/rootfs/etc/hosts b/H19/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/H19/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/H19/rootfs/etc/network/interfaces b/H19/rootfs/etc/network/interfaces new file mode 100644 index 0000000..74e3c98 --- /dev/null +++ b/H19/rootfs/etc/network/interfaces @@ -0,0 +1,14 @@ +auto lo +iface lo inet loopback + +auto vlan48 +iface vlan48 inet manual + up ip link set up dev vlan48 + up ip addr add 10.40.52.19/21 brd + dev vlan48 + up ip addr add 2001:db8:10:30::413/117 dev vlan48 + up ip route add default via 10.40.48.1 dev vlan48 + up ip route add default via 2001:db8:10:30::1 dev vlan48 + down ip route -6 del default + down ip addr del 2001:db8:10:30::413/117 dev vlan48 + down ip addr del 10.40.52.19/21 dev vlan48 + down up link set down dev vlan48 diff --git a/H19/rootfs/etc/sysctl.conf b/H19/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/H19/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/H34/config b/H34/config new file mode 100644 index 0000000..1ae9f38 --- /dev/null +++ b/H34/config @@ -0,0 +1,25 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/H34/rootfs +lxc.uts.name = H34 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan36 +lxc.net.0.veth.pair = h34.36 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:24:22 diff --git a/H34/rootfs/etc/bird/bird.conf b/H34/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H34/rootfs/etc/bird/bird.conf @@ -0,0 +1 @@ + diff --git a/H34/rootfs/etc/bird/bird6.conf b/H34/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H34/rootfs/etc/bird/bird6.conf @@ -0,0 +1 @@ + diff --git a/H34/rootfs/etc/hosts b/H34/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/H34/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/H34/rootfs/etc/network/interfaces b/H34/rootfs/etc/network/interfaces new file mode 100644 index 0000000..166a8db --- /dev/null +++ b/H34/rootfs/etc/network/interfaces @@ -0,0 +1,14 @@ +auto lo +iface lo inet loopback + +auto vlan36 +iface vlan36 inet manual + up ip link set up dev vlan36 + up ip addr add 10.40.36.34/24 brd + dev vlan36 + up ip addr add 2001:db8:10:24::22/120 dev vlan36 + up ip route add default via 10.40.36.1 dev vlan36 + up ip route add default via 2001:db8:10:24::1 dev vlan36 + down ip route -6 del default + down ip addr del 2001:db8:10:24::22/120 dev vlan36 + down ip addr del 10.40.36.34/24 dev vlan36 + down up link set down dev vlan36 diff --git a/H34/rootfs/etc/sysctl.conf b/H34/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/H34/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/H5/config b/H5/config index 0761214..a4b40f5 100644 --- a/H5/config +++ b/H5/config @@ -15,14 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/H5/rootfs lxc.uts.name = H5 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1034 -lxc.net.0.veth.pair = h5.1034 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:2b:02:05 -lxc.net.0.ipv4.address = 10.34.2.5/24 -lxc.net.0.ipv4.gateway = 10.34.2.1 -lxc.net.0.ipv6.address = 2001:db8:2501:342::5/64 -lxc.net.0.ipv6.gateway = 2001:db8:2501:342::1 diff --git a/H6/config b/H6/config new file mode 100644 index 0000000..9e2fd8f --- /dev/null +++ b/H6/config @@ -0,0 +1,25 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/H6/rootfs +lxc.uts.name = H6 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan2 +lxc.net.0.veth.pair = h6.2 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:02:06 diff --git a/H6/rootfs/etc/bird/bird.conf b/H6/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H6/rootfs/etc/bird/bird.conf @@ -0,0 +1 @@ + diff --git a/H6/rootfs/etc/bird/bird6.conf b/H6/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H6/rootfs/etc/bird/bird6.conf @@ -0,0 +1 @@ + diff --git a/H6/rootfs/etc/hosts b/H6/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/H6/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/H6/rootfs/etc/network/interfaces b/H6/rootfs/etc/network/interfaces new file mode 100644 index 0000000..d0f6dd7 --- /dev/null +++ b/H6/rootfs/etc/network/interfaces @@ -0,0 +1,14 @@ +auto lo +iface lo inet loopback + +auto vlan2 +iface vlan2 inet manual + up ip link set up dev vlan2 + up ip addr add 10.40.2.6/24 brd + dev vlan2 + up ip addr add 2001:db8:40:2::6/120 dev vlan2 + up ip route add default via 10.40.2.1 dev vlan2 + up ip route add default via 2001:db8:40:2::1 dev vlan2 + down ip route -6 del default + down ip addr del 2001:db8:40:2::6/120 dev vlan2 + down ip addr del 10.40.2.6/24 dev vlan2 + down up link set down dev vlan2 diff --git a/H6/rootfs/etc/sysctl.conf b/H6/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/H6/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/H7/config b/H7/config new file mode 100644 index 0000000..b4cdb78 --- /dev/null +++ b/H7/config @@ -0,0 +1,25 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/H7/rootfs +lxc.uts.name = H7 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan3 +lxc.net.0.veth.pair = h7.3 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:03:07 diff --git a/H7/rootfs/etc/bird/bird.conf b/H7/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H7/rootfs/etc/bird/bird.conf @@ -0,0 +1 @@ + diff --git a/H7/rootfs/etc/bird/bird6.conf b/H7/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..8b13789 --- /dev/null +++ b/H7/rootfs/etc/bird/bird6.conf @@ -0,0 +1 @@ + diff --git a/H7/rootfs/etc/hosts b/H7/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/H7/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/H7/rootfs/etc/network/interfaces b/H7/rootfs/etc/network/interfaces new file mode 100644 index 0000000..307fed1 --- /dev/null +++ b/H7/rootfs/etc/network/interfaces @@ -0,0 +1,14 @@ +auto lo +iface lo inet loopback + +auto vlan3 +iface vlan3 inet manual + up ip link set up dev vlan3 + up ip addr add 10.40.3.7/24 brd + dev vlan3 + up ip addr add 2001:db8:40:3::7/120 dev vlan3 + up ip route add default via 10.40.3.1 dev vlan3 + up ip route add default via 2001:db8:40:3::1 dev vlan3 + down ip route -6 del default + down ip addr del 2001:db8:40:3::7/120 dev vlan3 + down ip addr del 10.40.3.7/24 dev vlan3 + down up link set down dev vlan3 diff --git a/H7/rootfs/etc/sysctl.conf b/H7/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/H7/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/H8/config b/H8/config index ca1bfed..f91930e 100644 --- a/H8/config +++ b/H8/config @@ -15,14 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/H8/rootfs lxc.uts.name = H8 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1356 -lxc.net.0.veth.pair = h8.1356 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:03:38:08 -lxc.net.0.ipv4.address = 10.3.56.8/24 -lxc.net.0.ipv4.gateway = 10.3.56.1 -lxc.net.0.ipv6.address = 2001:db8:2501:56::8/64 -lxc.net.0.ipv6.gateway = 2001:db8:2501:56::1 diff --git a/R0/config b/R0/config new file mode 100644 index 0000000..47c7378 --- /dev/null +++ b/R0/config @@ -0,0 +1,33 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R0/rootfs +lxc.uts.name = R0 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan216 +lxc.net.0.veth.pair = r0.216 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:d8:02 + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = vlan2 +lxc.net.1.veth.pair = r0.2 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch +lxc.net.1.hwaddr = 02:00:0a:28:02:01 diff --git a/R0/rootfs/etc/bird/bird.conf b/R0/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..4df2e3b --- /dev/null +++ b/R0/rootfs/etc/bird/bird.conf @@ -0,0 +1,26 @@ +router id 10.40.217.0; + +log "/var/log/bird/bird.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + interface "lo" { + stub; + }; + interface "vlan216" { + }; + interface "vlan2" { + stub; + }; + }; +} diff --git a/R0/rootfs/etc/bird/bird6.conf b/R0/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..2480a21 --- /dev/null +++ b/R0/rootfs/etc/bird/bird6.conf @@ -0,0 +1,25 @@ +router id 10.40.217.0; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:40::/128; + interface "vlan216" { + }; + interface "vlan2" { + stub; + }; + }; +} diff --git a/R0/rootfs/etc/hosts b/R0/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/R0/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/R0/rootfs/etc/network/interfaces b/R0/rootfs/etc/network/interfaces new file mode 100644 index 0000000..5e322c2 --- /dev/null +++ b/R0/rootfs/etc/network/interfaces @@ -0,0 +1,24 @@ +auto lo +iface lo inet loopback + up ip addr add 10.40.217.0/32 dev lo + up ip addr add 2001:db8:40:: dev lo + down ip addr del 2001:db8:40:: dev lo + down ip addr del 10.40.217.0/32 dev lo + +auto vlan2 +iface vlan2 inet manual + up ip link set up dev vlan2 + up ip addr add 10.40.2.1/24 brd + dev vlan2 + up ip addr add 2001:db8:40:2::1/120 dev vlan2 + down ip addr del 2001:db8:40:2::1/120 dev vlan2 + down ip addr del 10.40.2.1/24 dev vlan2 + down up link set down dev vlan2 + +auto vlan216 +iface vlan216 inet manual + up ip link set up dev vlan216 + up ip addr add 10.40.216.2/28 brd + dev vlan216 + up ip addr add 2001:db8:40:d8::2/120 dev vlan216 + down ip addr del 2001:db8:40:d8::2/120 dev vlan216 + down ip addr del 10.40.216.2/28 dev vlan216 + down up link set down dev vlan216 diff --git a/R0/rootfs/etc/sysctl.conf b/R0/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R0/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/R1/config b/R1/config index 160c08e..91ef9f6 100644 --- a/R1/config +++ b/R1/config @@ -15,39 +15,22 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/R1/rootfs lxc.uts.name = R1 + + + + lxc.net.0.type = veth lxc.net.0.flags = up -lxc.net.0.name = vlan1001 -lxc.net.0.veth.pair = r1.1001 +lxc.net.0.name = vlan216 +lxc.net.0.veth.pair = r1.216 lxc.net.0.script.up = /etc/lxc/lxc-openvswitch lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:00:01:05 -lxc.net.0.ipv4.address = 10.0.1.5/24 -lxc.net.0.ipv6.address = 2001:db8:2501:1::5/64 +lxc.net.0.hwaddr = 02:00:0a:28:d8:03 + lxc.net.1.type = veth lxc.net.1.flags = up -lxc.net.1.name = vlan1012 -lxc.net.1.veth.pair = r1.1012 +lxc.net.1.name = vlan3 +lxc.net.1.veth.pair = r1.3 lxc.net.1.script.up = /etc/lxc/lxc-openvswitch lxc.net.1.script.down = /etc/lxc/lxc-openvswitch -lxc.net.1.hwaddr = 02:00:0a:01:02:07 -lxc.net.1.ipv4.address = 10.1.2.7/24 -lxc.net.1.ipv6.address = 2001:db8:2501:2::7/64 -lxc.net.2.type = veth -lxc.net.2.flags = up -lxc.net.2.name = vlan1356 -lxc.net.2.veth.pair = r1.1356 -lxc.net.2.script.up = /etc/lxc/lxc-openvswitch -lxc.net.2.script.down = /etc/lxc/lxc-openvswitch -lxc.net.2.hwaddr = 02:00:0a:03:38:01 -lxc.net.2.ipv4.address = 10.3.56.1/24 -lxc.net.2.ipv6.address = 2001:db8:2501:56::1/64 - - -lxc.net.3.type = veth -lxc.net.3.name = vlan10 -lxc.net.3.veth.pair = r1.10 -lxc.net.3.flags = up -lxc.net.3.script.up = /etc/lxc/lxc-openvswitch -lxc.net.3.script.down = /etc/lxc/lxc-openvswitch - +lxc.net.1.hwaddr = 02:00:0a:28:03:01 diff --git a/R1/rootfs/etc/bird/bird.conf b/R1/rootfs/etc/bird/bird.conf index 1eaf253..97f6810 100644 --- a/R1/rootfs/etc/bird/bird.conf +++ b/R1/rootfs/etc/bird/bird.conf @@ -1,47 +1,26 @@ -router id 10.9.99.1; +router id 10.40.217.1; log "/var/log/bird/bird.log" all; debug protocols { states, routes, filters, interfaces } protocol kernel { - #import none; + import none; export all; - learn; - preference 254; } protocol device { # defaults... - scan time 10; } -protocol direct { - interface "vlan10"; -} - -filter ospfexport { - if (source = RTS_DEVICE) || (net = 0.0.0.0/0) - then accept; - else reject; -}; - protocol ospf { - export filter ospfexport; - import all; - area 0 { - interface "lo" { - stub; - }; - interface "vlan1001" { - }; - interface "vlan1012" { - }; - interface "vlan1356" { - stub; - }; - interface "vlan10" { - type broadcast; - }; - }; -}; - + area 0 { + interface "lo" { + stub; + }; + interface "vlan216" { + }; + interface "vlan3" { + stub; + }; + }; +} diff --git a/R1/rootfs/etc/bird/bird6.conf b/R1/rootfs/etc/bird/bird6.conf index 75c2366..2884961 100644 --- a/R1/rootfs/etc/bird/bird6.conf +++ b/R1/rootfs/etc/bird/bird6.conf @@ -1,47 +1,30 @@ -router id 10.9.99.1; +router id 10.40.217.1; -log "/var/log/bird/bird.log" all; +log "/var/log/bird/bird6.log" all; debug protocols { states, routes, filters, interfaces } protocol kernel { - #import none; + import none; export all; - learn; - preference 254; } protocol device { # defaults... - scan time 10; -} - -protocol direct { - interface "vlan10"; -} - -filter ospfexport { - if (source = RTS_DEVICE) || (net = ::/0) - then accept; - else reject; } protocol ospf { - export filter ospfexport; - import all; - area 0 { - interface "lo" { - stub; - }; - interface "vlan1001" { - }; - interface "vlan1012" { - }; - interface "vlan1356" { - stub; - }; - interface "vlan10" { - type broadcast; - }; - }; -}; + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:40::1/128; + interface "vlan216" { + }; + interface "vlan3" { + stub; + }; + }; +} +protocol bgp ibgp_r3 { + local 2001:db8:40::1 as 64080; + neighbor 2001:db8:40::3 as 64080; +} diff --git a/R1/rootfs/etc/network/interfaces b/R1/rootfs/etc/network/interfaces index eb610d0..c91200d 100644 --- a/R1/rootfs/etc/network/interfaces +++ b/R1/rootfs/etc/network/interfaces @@ -1,16 +1,24 @@ auto lo iface lo inet loopback - up ip addr add 10.9.99.1/32 dev lo - down ip addr del 10.9.99.1/32 dev lo + up ip addr add 10.40.217.1/32 dev lo + up ip addr add 2001:db8:40::1 dev lo + down ip addr del 2001:db8:40::1 dev lo + down ip addr del 10.40.217.1/32 dev lo -iface vlan10 inet manual - pre-up iptables-restore < /etc/network/firewall - up ip link set up dev vlan10 - up ip addr add 198.51.100.13/26 brd + dev vlan10 - up ip route add default via 198.51.100.1 dev vlan10 - up ip -6 addr add 2001:db8:1998::19/120 dev vlan10 - up ip -6 route add default via 2001:db8:1998::1 dev vlan10 - down ip addr del 198.51.100.19/26 dev vlan10 - down ip -6 addr del 2001:db8:1998::19/120 dev vlan10 - down ip link set down dev vlan10 +auto vlan3 +iface vlan3 inet manual + up ip link set up dev vlan3 + up ip addr add 10.40.3.1/24 brd + dev vlan3 + up ip addr add 2001:db8:40:3::1/120 dev vlan3 + down ip addr del 2001:db8:40:3::1/120 dev vlan3 + down ip addr del 10.40.3.1/24 dev vlan3 + down up link set down dev vlan3 +auto vlan216 +iface vlan216 inet manual + up ip link set up dev vlan216 + up ip addr add 10.40.216.3/28 brd + dev vlan216 + up ip addr add 2001:db8:40:d8::3/120 dev vlan216 + down ip addr del 2001:db8:40:d8::3/120 dev vlan216 + down ip addr del 10.40.216.3/28 dev vlan216 + down up link set down dev vlan216 diff --git a/R10/config b/R10/config new file mode 100644 index 0000000..251c4a9 --- /dev/null +++ b/R10/config @@ -0,0 +1,33 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R10/rootfs +lxc.uts.name = R10 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan33 +lxc.net.0.veth.pair = r10.33 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:21:01 + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = vlan217 +lxc.net.1.veth.pair = r10.217 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch +lxc.net.1.hwaddr = 02:00:0a:28:d9:11 diff --git a/R10/rootfs/etc/bird/bird.conf b/R10/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..a6ccfd0 --- /dev/null +++ b/R10/rootfs/etc/bird/bird.conf @@ -0,0 +1,59 @@ +router id 10.40.32.10; + +log "/var/log/bird/bird.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + interface "lo" { + stub; + }; + interface "vlan33" { + }; + interface "vlan217" { + stub; + }; + }; +} + +############################################################################## +# eBGP R3 +# + +table t_r3; + +protocol static originate_to_r3 { + table t_r3; + import all; # originate here + route 10.40.0.0/22 blackhole; + route 10.40.216.0/21 blackhole; +} + +protocol bgp ebgp_r3 { + table t_r3; + neighbor 10.40.217.17 as 64080; + local 10.40.217.18 as 65033; + import filter { + if net ~ [ 10.0.0.0/8{19,24} ] then accept; + reject; + }; + import keep filtered on; + export where source = RTS_STATIC; +} + +protocol pipe p_master_to_r3 { + table master; + peer table t_r3; + import where source = RTS_BGP; + export none; +} + diff --git a/R10/rootfs/etc/bird/bird6.conf b/R10/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..ff4085d --- /dev/null +++ b/R10/rootfs/etc/bird/bird6.conf @@ -0,0 +1,54 @@ +router id 10.40.32.10; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:10:6::a/128; + interface "vlan33" { + }; + interface "vlan217" { + stub; + }; + }; +} + +############################################################################## +# eBGP R3 +# + +table t_r3; + +protocol static originate_to_r3 { + table t_r3; + import all; # originate here + route 2001:db8:10::/48 blackhole; +} + +protocol bgp ebgp_r3 { + table t_r3; + neighbor 2001:db8:40:d910::1 as 64080; + local 2001:db8:40:d910::2 as 65033; + import all; + import keep filtered on; + export where source = RTS_STATIC; +} + +protocol pipe p_master_to_r3 { + table master; + peer table t_r3; + import where source = RTS_BGP; + export none; +} + diff --git a/R10/rootfs/etc/hosts b/R10/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/R10/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/R10/rootfs/etc/network/interfaces b/R10/rootfs/etc/network/interfaces new file mode 100644 index 0000000..1b6078a --- /dev/null +++ b/R10/rootfs/etc/network/interfaces @@ -0,0 +1,24 @@ +auto lo +iface lo inet loopback + up ip addr add 10.40.32.10/32 dev lo + up ip addr add 2001:db8:10:6::a dev lo + down ip addr del 2001:db8:10:6::a dev lo + down ip addr del 10.40.32.10/32 dev lo + +auto vlan33 +iface vlan33 inet manual + up ip link set up dev vlan33 + up ip addr add 10.40.33.1/26 brd + dev vlan33 + up ip addr add 2001:db8:10:21::1/120 dev vlan33 + down ip addr del 2001:db8:10:21::1/120 dev vlan33 + down ip addr del 10.40.33.1/26 dev vlan33 + down up link set down dev vlan33 + +auto vlan217 +iface vlan217 inet manual + up ip link set up dev vlan217 + up ip addr add 10.40.217.18/30 brd + dev vlan217 + up ip addr add 2001:db8:40:d910::2/120 dev vlan217 + down ip addr del 2001:db8:40:d910::2/120 dev vlan217 + down ip addr del 10.40.217.18/30 dev vlan217 + down up link set down dev vlan217 diff --git a/R10/rootfs/etc/sysctl.conf b/R10/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R10/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/R11/config b/R11/config new file mode 100644 index 0000000..803efd9 --- /dev/null +++ b/R11/config @@ -0,0 +1,33 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R11/rootfs +lxc.uts.name = R11 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan33 +lxc.net.0.veth.pair = r11.33 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:21:02 + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = vlan48 +lxc.net.1.veth.pair = r11.48 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch +lxc.net.1.hwaddr = 02:00:0a:28:30:01 diff --git a/R11/rootfs/etc/bird/bird.conf b/R11/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..e4d4b1d --- /dev/null +++ b/R11/rootfs/etc/bird/bird.conf @@ -0,0 +1,26 @@ +router id 10.40.32.11; + +log "/var/log/bird/bird.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + interface "lo" { + stub; + }; + interface "vlan33" { + }; + interface "vlan48" { + stub; + }; + }; +} diff --git a/R11/rootfs/etc/bird/bird6.conf b/R11/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..be6ee35 --- /dev/null +++ b/R11/rootfs/etc/bird/bird6.conf @@ -0,0 +1,25 @@ +router id 10.40.32.11; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:10:6::b/128; + interface "vlan33" { + }; + interface "vlan48" { + stub; + }; + }; +} diff --git a/R11/rootfs/etc/hosts b/R11/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/R11/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/R11/rootfs/etc/network/interfaces b/R11/rootfs/etc/network/interfaces new file mode 100644 index 0000000..49508a2 --- /dev/null +++ b/R11/rootfs/etc/network/interfaces @@ -0,0 +1,24 @@ +auto lo +iface lo inet loopback + up ip addr add 10.40.32.11/32 dev lo + up ip addr add 2001:db8:10:6::b dev lo + down ip addr del 2001:db8:10:6::b dev lo + down ip addr del 10.40.32.11/32 dev lo + +auto vlan48 +iface vlan48 inet manual + up ip link set up dev vlan48 + up ip addr add 10.40.48.1/21 brd + dev vlan48 + up ip addr add 2001:db8:10:30::1/117 dev vlan48 + down ip addr del 2001:db8:10:30::1/117 dev vlan48 + down ip addr del 10.40.48.1/21 dev vlan48 + down up link set down dev vlan48 + +auto vlan33 +iface vlan33 inet manual + up ip link set up dev vlan33 + up ip addr add 10.40.33.2/26 brd + dev vlan33 + up ip addr add 2001:db8:10:21::2/120 dev vlan33 + down ip addr del 2001:db8:10:21::2/120 dev vlan33 + down ip addr del 10.40.33.2/26 dev vlan33 + down up link set down dev vlan33 diff --git a/R11/rootfs/etc/sysctl.conf b/R11/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R11/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/R12/config b/R12/config new file mode 100644 index 0000000..a393f64 --- /dev/null +++ b/R12/config @@ -0,0 +1,33 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R12/rootfs +lxc.uts.name = R12 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan33 +lxc.net.0.veth.pair = r12.33 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:21:03 + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = vlan36 +lxc.net.1.veth.pair = r12.36 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch +lxc.net.1.hwaddr = 02:00:0a:28:24:01 diff --git a/R12/rootfs/etc/bird/bird.conf b/R12/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..4294fa3 --- /dev/null +++ b/R12/rootfs/etc/bird/bird.conf @@ -0,0 +1,26 @@ +router id 10.40.32.12; + +log "/var/log/bird/bird.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + interface "lo" { + stub; + }; + interface "vlan33" { + }; + interface "vlan36" { + stub; + }; + }; +} diff --git a/R12/rootfs/etc/bird/bird6.conf b/R12/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..f324270 --- /dev/null +++ b/R12/rootfs/etc/bird/bird6.conf @@ -0,0 +1,25 @@ +router id 10.40.32.12; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:10:6::c/128; + interface "vlan33" { + }; + interface "vlan36" { + stub; + }; + }; +} diff --git a/R12/rootfs/etc/hosts b/R12/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/R12/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/R12/rootfs/etc/network/interfaces b/R12/rootfs/etc/network/interfaces new file mode 100644 index 0000000..6c58ccf --- /dev/null +++ b/R12/rootfs/etc/network/interfaces @@ -0,0 +1,24 @@ +auto lo +iface lo inet loopback + up ip addr add 10.40.32.12/32 dev lo + up ip addr add 2001:db8:10:6::c dev lo + down ip addr del 2001:db8:10:6::c dev lo + down ip addr del 10.40.32.12/32 dev lo + +auto vlan36 +iface vlan36 inet manual + up ip link set up dev vlan36 + up ip addr add 10.40.36.1/24 brd + dev vlan36 + up ip addr add 2001:db8:10:24::1/120 dev vlan36 + down ip addr del 2001:db8:10:24::1/120 dev vlan36 + down ip addr del 10.40.36.1/24 dev vlan36 + down up link set down dev vlan36 + +auto vlan33 +iface vlan33 inet manual + up ip link set up dev vlan33 + up ip addr add 10.40.33.3/26 brd + dev vlan33 + up ip addr add 2001:db8:10:21::3/120 dev vlan33 + down ip addr del 2001:db8:10:21::3/120 dev vlan33 + down ip addr del 10.40.33.3/26 dev vlan33 + down up link set down dev vlan33 diff --git a/R12/rootfs/etc/sysctl.conf b/R12/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R12/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/R2/config b/R2/config index 36f04c0..5040067 100644 --- a/R2/config +++ b/R2/config @@ -15,30 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/R2/rootfs lxc.uts.name = R2 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1012 -lxc.net.0.veth.pair = r2.1012 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:01:02:7b -lxc.net.0.ipv4.address = 10.1.2.123/24 -lxc.net.0.ipv6.address = 2001:db8:2501:2::123/64 -lxc.net.1.type = veth -lxc.net.1.flags = up -lxc.net.1.name = vlan1082 -lxc.net.1.veth.pair = r2.1082 -lxc.net.1.script.up = /etc/lxc/lxc-openvswitch -lxc.net.1.script.down = /etc/lxc/lxc-openvswitch -lxc.net.1.hwaddr = 02:00:0a:08:02:01 -lxc.net.1.ipv4.address = 10.8.2.1/24 -lxc.net.1.ipv6.address = 2001:db8:2501:82::1/64 -lxc.net.2.type = veth -lxc.net.2.flags = up -lxc.net.2.name = vlan1050 -lxc.net.2.veth.pair = r2.1050 -lxc.net.2.script.up = /etc/lxc/lxc-openvswitch -lxc.net.2.script.down = /etc/lxc/lxc-openvswitch -lxc.net.2.hwaddr = 02:00:0a:32:01:01 -lxc.net.2.ipv4.address = 10.50.1.1/24 -lxc.net.2.ipv6.address = 2001:db8:2501:501::1/64 diff --git a/R3/config b/R3/config new file mode 100644 index 0000000..97d0edb --- /dev/null +++ b/R3/config @@ -0,0 +1,33 @@ +# Template used to create this container: /usr/share/lxc/templates/lxc-debian +# Parameters passed to the template: -r stretch +# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873 +# For additional config options, please look at lxc.container.conf(5) +# Uncomment the following line to support nesting containers: +#lxc.include = /usr/share/lxc/config/nesting.conf +# (Be aware this has security implications) +lxc.apparmor.profile = generated +lxc.apparmor.allow_nesting = 1 +# Common configuration +lxc.include = /usr/share/lxc/config/debian.common.conf +# Container specific configuration +lxc.tty.max = 4 +lxc.arch = amd64 +lxc.pty.max = 1024 +lxc.rootfs.path = btrfs:/var/lib/lxc/R3/rootfs +lxc.uts.name = R3 + +lxc.net.0.type = veth +lxc.net.0.flags = up +lxc.net.0.name = vlan216 +lxc.net.0.veth.pair = r3.216 +lxc.net.0.script.up = /etc/lxc/lxc-openvswitch +lxc.net.0.script.down = /etc/lxc/lxc-openvswitch +lxc.net.0.hwaddr = 02:00:0a:28:d8:01 + +lxc.net.1.type = veth +lxc.net.1.flags = up +lxc.net.1.name = vlan217 +lxc.net.1.veth.pair = r3.217 +lxc.net.1.script.up = /etc/lxc/lxc-openvswitch +lxc.net.1.script.down = /etc/lxc/lxc-openvswitch +lxc.net.1.hwaddr = 02:00:0a:28:d9:10 diff --git a/R3/rootfs/etc/bird/bird.conf b/R3/rootfs/etc/bird/bird.conf new file mode 100644 index 0000000..70ba7cc --- /dev/null +++ b/R3/rootfs/etc/bird/bird.conf @@ -0,0 +1,58 @@ +router id 10.40.217.3; + +log "/var/log/bird/bird.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + interface "lo" { + stub; + }; + interface "vlan216" { + }; + interface "vlan217" { + stub; + }; + }; +} + +############################################################################## +# eBGP R10 +# + +table t_r10; + +protocol static originate_to_r10 { + table t_r10; + import all; # originate here + route 10.40.0.0/22 blackhole; + route 10.40.216.0/21 blackhole; +} + +protocol bgp ebgp_r10 { + table t_r10; + local 10.40.217.17 as 64080; + neighbor 10.40.217.18 as 65033; + import filter { + if net ~ [ 10.0.0.0/8{19,24} ] then accept; + reject; + }; + import keep filtered on; + export where source = RTS_STATIC; +} + +protocol pipe p_master_to_r10 { + table master; + peer table t_r10; + import where source = RTS_BGP; + export none; +} diff --git a/R3/rootfs/etc/bird/bird6.conf b/R3/rootfs/etc/bird/bird6.conf new file mode 100644 index 0000000..7404900 --- /dev/null +++ b/R3/rootfs/etc/bird/bird6.conf @@ -0,0 +1,62 @@ +router id 10.40.217.3; + +log "/var/log/bird/bird6.log" all; +debug protocols { states, routes, filters, interfaces } + +protocol kernel { + import none; + export all; +} + +protocol device { + # defaults... +} + +protocol ospf { + area 0 { + # BIRD ignores the IPv6 lo because it has no link local address + stubnet 2001:db8:40::3/128; + interface "vlan216" { + }; + interface "vlan217" { + stub; + }; + }; +} +############################################################################## +# eBGP R10 +# + +table t_r10; + +protocol static originate_to_r10 { + table t_r10; + import all; # originate here + route 2001:db8:40::/48 blackhole; +} + +protocol bgp ebgp_r10 { + table t_r10; + local 2001:db8:40:d910::1 as 64080; + neighbor 2001:db8:40:d910::2 as 65033; + import all; + import keep filtered on; + export where source = RTS_STATIC; +} + +protocol pipe p_master_to_r10 { + table master; + peer table t_r10; + import where source = RTS_BGP; + export none; +} + +# +# iBGP +# +protocol bgp ibgp_r1 { + import none; + export where source = RTS_BGP; + local 2001:db8:40::3 as 64080; + neighbor 2001:db8:40::1 as 64080; +} diff --git a/R3/rootfs/etc/hosts b/R3/rootfs/etc/hosts new file mode 100644 index 0000000..72e1fd8 --- /dev/null +++ b/R3/rootfs/etc/hosts @@ -0,0 +1,5 @@ +127.0.0.1 localhost +::1 localhost ip6-localhost ip6-loopback +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters + diff --git a/R3/rootfs/etc/network/interfaces b/R3/rootfs/etc/network/interfaces new file mode 100644 index 0000000..1815a6d --- /dev/null +++ b/R3/rootfs/etc/network/interfaces @@ -0,0 +1,24 @@ +auto lo +iface lo inet loopback + up ip addr add 10.40.217.3/32 dev lo + up ip addr add 2001:db8:40::3 dev lo + down ip addr del 2001:db8:40::3 dev lo + down ip addr del 10.40.217.3/32 dev lo + +auto vlan216 +iface vlan216 inet manual + up ip link set up dev vlan216 + up ip addr add 10.40.216.1/28 brd + dev vlan216 + up ip addr add 2001:db8:40:d8::1/120 dev vlan216 + down ip addr del 2001:db8:40:d8::1/120 dev vlan216 + down ip addr del 10.40.216.1/28 dev vlan216 + down up link set down dev vlan216 + +auto vlan217 +iface vlan217 inet manual + up ip link set up dev vlan217 + up ip addr add 10.40.217.17/30 brd + dev vlan217 + up ip addr add 2001:db8:40:d910::1/120 dev vlan217 + down ip addr del 2001:db8:40:d910::1/120 dev vlan217 + down ip addr del 10.40.217.17/30 dev vlan217 + down up link set down dev vlan217 diff --git a/R3/rootfs/etc/sysctl.conf b/R3/rootfs/etc/sysctl.conf new file mode 100644 index 0000000..25809a1 --- /dev/null +++ b/R3/rootfs/etc/sysctl.conf @@ -0,0 +1,79 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables. +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +net.ipv6.conf.all.forwarding=1 + +net.ipv4.icmp_ratelimit = 0 +net.ipv6.icmp.ratelimit = 0 + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +################################################################### +# Magic system request Key +# 0=disable, 1=enable all +# Debian kernels have this set to 0 (disable the key) +# See https://www.kernel.org/doc/Documentation/sysrq.txt +# for what other values do +#kernel.sysrq=1 + +################################################################### +# Protected links +# +# Protects against creating or following links under certain conditions +# Debian kernels have both set to 1 (restricted) +# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt +#fs.protected_hardlinks=0 +#fs.protected_symlinks=0 diff --git a/R5/config b/R5/config index 6ce23e9..b7e5a49 100644 --- a/R5/config +++ b/R5/config @@ -15,21 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/R5/rootfs lxc.uts.name = R5 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1001 -lxc.net.0.veth.pair = r5.1001 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:00:01:04 -lxc.net.0.ipv4.address = 10.0.1.4/24 -lxc.net.0.ipv6.address = 2001:db8:2501:1::4/64 -lxc.net.1.type = veth -lxc.net.1.flags = up -lxc.net.1.name = vlan1012 -lxc.net.1.veth.pair = r5.1012 -lxc.net.1.script.up = /etc/lxc/lxc-openvswitch -lxc.net.1.script.down = /etc/lxc/lxc-openvswitch -lxc.net.1.hwaddr = 02:00:0a:01:02:38 -lxc.net.1.ipv4.address = 10.1.2.56/24 -lxc.net.1.ipv6.address = 2001:db8:2501:2::56/64 diff --git a/R6/config b/R6/config index b5a043f..c4fe3ae 100644 --- a/R6/config +++ b/R6/config @@ -15,21 +15,3 @@ lxc.arch = amd64 lxc.pty.max = 1024 lxc.rootfs.path = btrfs:/var/lib/lxc/R6/rootfs lxc.uts.name = R6 -lxc.net.0.type = veth -lxc.net.0.flags = up -lxc.net.0.name = vlan1001 -lxc.net.0.veth.pair = r6.1001 -lxc.net.0.script.up = /etc/lxc/lxc-openvswitch -lxc.net.0.script.down = /etc/lxc/lxc-openvswitch -lxc.net.0.hwaddr = 02:00:0a:00:01:08 -lxc.net.0.ipv4.address = 10.0.1.8/24 -lxc.net.0.ipv6.address = 2001:db8:2501:1::8/64 -lxc.net.1.type = veth -lxc.net.1.flags = up -lxc.net.1.name = vlan1034 -lxc.net.1.veth.pair = r6.1034 -lxc.net.1.script.up = /etc/lxc/lxc-openvswitch -lxc.net.1.script.down = /etc/lxc/lxc-openvswitch -lxc.net.1.hwaddr = 02:00:0a:2b:02:01 -lxc.net.1.ipv4.address = 10.34.2.1/24 -lxc.net.1.ipv6.address = 2001:db8:2501:342::1/64