Just before homework on bgp-intro
This commit is contained in:
parent
089621efed
commit
b7603e7521
11
H10/config
11
H10/config
|
@ -15,14 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/H10/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H10/rootfs
|
||||||
lxc.uts.name = H10
|
lxc.uts.name = H10
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1082
|
|
||||||
lxc.net.0.veth.pair = h10.1082
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:08:02:0a
|
|
||||||
lxc.net.0.ipv4.address = 10.8.2.10/24
|
|
||||||
lxc.net.0.ipv4.gateway = 10.8.2.1
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:82::10/64
|
|
||||||
lxc.net.0.ipv6.gateway = 2001:db8:2501:82::1
|
|
||||||
|
|
11
H12/config
11
H12/config
|
@ -15,14 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/H12/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H12/rootfs
|
||||||
lxc.uts.name = H12
|
lxc.uts.name = H12
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1050
|
|
||||||
lxc.net.0.veth.pair = h12.1050
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:32:01:0c
|
|
||||||
lxc.net.0.ipv4.address = 10.50.1.12/24
|
|
||||||
lxc.net.0.ipv4.gateway = 10.50.1.1
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:501::12/64
|
|
||||||
lxc.net.0.ipv6.gateway = 2001:db8:2501:501::1
|
|
||||||
|
|
|
@ -15,10 +15,4 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/H13/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H13/rootfs
|
||||||
lxc.uts.name = H13
|
lxc.uts.name = H13
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1050
|
|
||||||
lxc.net.0.veth.pair = h13.1050
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H19/rootfs
|
||||||
|
lxc.uts.name = H19
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan48
|
||||||
|
lxc.net.0.veth.pair = h19.48
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:34:13
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
auto vlan48
|
||||||
|
iface vlan48 inet manual
|
||||||
|
up ip link set up dev vlan48
|
||||||
|
up ip addr add 10.40.52.19/21 brd + dev vlan48
|
||||||
|
up ip addr add 2001:db8:10:30::413/117 dev vlan48
|
||||||
|
up ip route add default via 10.40.48.1 dev vlan48
|
||||||
|
up ip route add default via 2001:db8:10:30::1 dev vlan48
|
||||||
|
down ip route -6 del default
|
||||||
|
down ip addr del 2001:db8:10:30::413/117 dev vlan48
|
||||||
|
down ip addr del 10.40.52.19/21 dev vlan48
|
||||||
|
down up link set down dev vlan48
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H34/rootfs
|
||||||
|
lxc.uts.name = H34
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan36
|
||||||
|
lxc.net.0.veth.pair = h34.36
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:24:22
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
auto vlan36
|
||||||
|
iface vlan36 inet manual
|
||||||
|
up ip link set up dev vlan36
|
||||||
|
up ip addr add 10.40.36.34/24 brd + dev vlan36
|
||||||
|
up ip addr add 2001:db8:10:24::22/120 dev vlan36
|
||||||
|
up ip route add default via 10.40.36.1 dev vlan36
|
||||||
|
up ip route add default via 2001:db8:10:24::1 dev vlan36
|
||||||
|
down ip route -6 del default
|
||||||
|
down ip addr del 2001:db8:10:24::22/120 dev vlan36
|
||||||
|
down ip addr del 10.40.36.34/24 dev vlan36
|
||||||
|
down up link set down dev vlan36
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
11
H5/config
11
H5/config
|
@ -15,14 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/H5/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H5/rootfs
|
||||||
lxc.uts.name = H5
|
lxc.uts.name = H5
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1034
|
|
||||||
lxc.net.0.veth.pair = h5.1034
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:2b:02:05
|
|
||||||
lxc.net.0.ipv4.address = 10.34.2.5/24
|
|
||||||
lxc.net.0.ipv4.gateway = 10.34.2.1
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:342::5/64
|
|
||||||
lxc.net.0.ipv6.gateway = 2001:db8:2501:342::1
|
|
||||||
|
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H6/rootfs
|
||||||
|
lxc.uts.name = H6
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan2
|
||||||
|
lxc.net.0.veth.pair = h6.2
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:02:06
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
auto vlan2
|
||||||
|
iface vlan2 inet manual
|
||||||
|
up ip link set up dev vlan2
|
||||||
|
up ip addr add 10.40.2.6/24 brd + dev vlan2
|
||||||
|
up ip addr add 2001:db8:40:2::6/120 dev vlan2
|
||||||
|
up ip route add default via 10.40.2.1 dev vlan2
|
||||||
|
up ip route add default via 2001:db8:40:2::1 dev vlan2
|
||||||
|
down ip route -6 del default
|
||||||
|
down ip addr del 2001:db8:40:2::6/120 dev vlan2
|
||||||
|
down ip addr del 10.40.2.6/24 dev vlan2
|
||||||
|
down up link set down dev vlan2
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
|
@ -0,0 +1,25 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H7/rootfs
|
||||||
|
lxc.uts.name = H7
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan3
|
||||||
|
lxc.net.0.veth.pair = h7.3
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:03:07
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1 @@
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,14 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
|
||||||
|
auto vlan3
|
||||||
|
iface vlan3 inet manual
|
||||||
|
up ip link set up dev vlan3
|
||||||
|
up ip addr add 10.40.3.7/24 brd + dev vlan3
|
||||||
|
up ip addr add 2001:db8:40:3::7/120 dev vlan3
|
||||||
|
up ip route add default via 10.40.3.1 dev vlan3
|
||||||
|
up ip route add default via 2001:db8:40:3::1 dev vlan3
|
||||||
|
down ip route -6 del default
|
||||||
|
down ip addr del 2001:db8:40:3::7/120 dev vlan3
|
||||||
|
down ip addr del 10.40.3.7/24 dev vlan3
|
||||||
|
down up link set down dev vlan3
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
11
H8/config
11
H8/config
|
@ -15,14 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/H8/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/H8/rootfs
|
||||||
lxc.uts.name = H8
|
lxc.uts.name = H8
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1356
|
|
||||||
lxc.net.0.veth.pair = h8.1356
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:03:38:08
|
|
||||||
lxc.net.0.ipv4.address = 10.3.56.8/24
|
|
||||||
lxc.net.0.ipv4.gateway = 10.3.56.1
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:56::8/64
|
|
||||||
lxc.net.0.ipv6.gateway = 2001:db8:2501:56::1
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R0/rootfs
|
||||||
|
lxc.uts.name = R0
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan216
|
||||||
|
lxc.net.0.veth.pair = r0.216
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:d8:02
|
||||||
|
|
||||||
|
lxc.net.1.type = veth
|
||||||
|
lxc.net.1.flags = up
|
||||||
|
lxc.net.1.name = vlan2
|
||||||
|
lxc.net.1.veth.pair = r0.2
|
||||||
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.hwaddr = 02:00:0a:28:02:01
|
|
@ -0,0 +1,26 @@
|
||||||
|
router id 10.40.217.0;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
interface "lo" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
interface "vlan216" {
|
||||||
|
};
|
||||||
|
interface "vlan2" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
router id 10.40.217.0;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird6.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
|
stubnet 2001:db8:40::/128;
|
||||||
|
interface "vlan216" {
|
||||||
|
};
|
||||||
|
interface "vlan2" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
up ip addr add 10.40.217.0/32 dev lo
|
||||||
|
up ip addr add 2001:db8:40:: dev lo
|
||||||
|
down ip addr del 2001:db8:40:: dev lo
|
||||||
|
down ip addr del 10.40.217.0/32 dev lo
|
||||||
|
|
||||||
|
auto vlan2
|
||||||
|
iface vlan2 inet manual
|
||||||
|
up ip link set up dev vlan2
|
||||||
|
up ip addr add 10.40.2.1/24 brd + dev vlan2
|
||||||
|
up ip addr add 2001:db8:40:2::1/120 dev vlan2
|
||||||
|
down ip addr del 2001:db8:40:2::1/120 dev vlan2
|
||||||
|
down ip addr del 10.40.2.1/24 dev vlan2
|
||||||
|
down up link set down dev vlan2
|
||||||
|
|
||||||
|
auto vlan216
|
||||||
|
iface vlan216 inet manual
|
||||||
|
up ip link set up dev vlan216
|
||||||
|
up ip addr add 10.40.216.2/28 brd + dev vlan216
|
||||||
|
up ip addr add 2001:db8:40:d8::2/120 dev vlan216
|
||||||
|
down ip addr del 2001:db8:40:d8::2/120 dev vlan216
|
||||||
|
down ip addr del 10.40.216.2/28 dev vlan216
|
||||||
|
down up link set down dev vlan216
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
39
R1/config
39
R1/config
|
@ -15,39 +15,22 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/R1/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R1/rootfs
|
||||||
lxc.uts.name = R1
|
lxc.uts.name = R1
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
lxc.net.0.type = veth
|
lxc.net.0.type = veth
|
||||||
lxc.net.0.flags = up
|
lxc.net.0.flags = up
|
||||||
lxc.net.0.name = vlan1001
|
lxc.net.0.name = vlan216
|
||||||
lxc.net.0.veth.pair = r1.1001
|
lxc.net.0.veth.pair = r1.216
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
lxc.net.0.hwaddr = 02:00:0a:00:01:05
|
lxc.net.0.hwaddr = 02:00:0a:28:d8:03
|
||||||
lxc.net.0.ipv4.address = 10.0.1.5/24
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:1::5/64
|
|
||||||
lxc.net.1.type = veth
|
lxc.net.1.type = veth
|
||||||
lxc.net.1.flags = up
|
lxc.net.1.flags = up
|
||||||
lxc.net.1.name = vlan1012
|
lxc.net.1.name = vlan3
|
||||||
lxc.net.1.veth.pair = r1.1012
|
lxc.net.1.veth.pair = r1.3
|
||||||
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
lxc.net.1.hwaddr = 02:00:0a:01:02:07
|
lxc.net.1.hwaddr = 02:00:0a:28:03:01
|
||||||
lxc.net.1.ipv4.address = 10.1.2.7/24
|
|
||||||
lxc.net.1.ipv6.address = 2001:db8:2501:2::7/64
|
|
||||||
lxc.net.2.type = veth
|
|
||||||
lxc.net.2.flags = up
|
|
||||||
lxc.net.2.name = vlan1356
|
|
||||||
lxc.net.2.veth.pair = r1.1356
|
|
||||||
lxc.net.2.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.2.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.2.hwaddr = 02:00:0a:03:38:01
|
|
||||||
lxc.net.2.ipv4.address = 10.3.56.1/24
|
|
||||||
lxc.net.2.ipv6.address = 2001:db8:2501:56::1/64
|
|
||||||
|
|
||||||
|
|
||||||
lxc.net.3.type = veth
|
|
||||||
lxc.net.3.name = vlan10
|
|
||||||
lxc.net.3.veth.pair = r1.10
|
|
||||||
lxc.net.3.flags = up
|
|
||||||
lxc.net.3.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.3.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
|
|
||||||
|
|
|
@ -1,47 +1,26 @@
|
||||||
router id 10.9.99.1;
|
router id 10.40.217.1;
|
||||||
|
|
||||||
log "/var/log/bird/bird.log" all;
|
log "/var/log/bird/bird.log" all;
|
||||||
debug protocols { states, routes, filters, interfaces }
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
protocol kernel {
|
protocol kernel {
|
||||||
#import none;
|
import none;
|
||||||
export all;
|
export all;
|
||||||
learn;
|
|
||||||
preference 254;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol device {
|
protocol device {
|
||||||
# defaults...
|
# defaults...
|
||||||
scan time 10;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol direct {
|
|
||||||
interface "vlan10";
|
|
||||||
}
|
|
||||||
|
|
||||||
filter ospfexport {
|
|
||||||
if (source = RTS_DEVICE) || (net = 0.0.0.0/0)
|
|
||||||
then accept;
|
|
||||||
else reject;
|
|
||||||
};
|
|
||||||
|
|
||||||
protocol ospf {
|
protocol ospf {
|
||||||
export filter ospfexport;
|
area 0 {
|
||||||
import all;
|
interface "lo" {
|
||||||
area 0 {
|
stub;
|
||||||
interface "lo" {
|
};
|
||||||
stub;
|
interface "vlan216" {
|
||||||
};
|
};
|
||||||
interface "vlan1001" {
|
interface "vlan3" {
|
||||||
};
|
stub;
|
||||||
interface "vlan1012" {
|
};
|
||||||
};
|
};
|
||||||
interface "vlan1356" {
|
}
|
||||||
stub;
|
|
||||||
};
|
|
||||||
interface "vlan10" {
|
|
||||||
type broadcast;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
|
@ -1,47 +1,30 @@
|
||||||
router id 10.9.99.1;
|
router id 10.40.217.1;
|
||||||
|
|
||||||
log "/var/log/bird/bird.log" all;
|
log "/var/log/bird/bird6.log" all;
|
||||||
debug protocols { states, routes, filters, interfaces }
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
protocol kernel {
|
protocol kernel {
|
||||||
#import none;
|
import none;
|
||||||
export all;
|
export all;
|
||||||
learn;
|
|
||||||
preference 254;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol device {
|
protocol device {
|
||||||
# defaults...
|
# defaults...
|
||||||
scan time 10;
|
|
||||||
}
|
|
||||||
|
|
||||||
protocol direct {
|
|
||||||
interface "vlan10";
|
|
||||||
}
|
|
||||||
|
|
||||||
filter ospfexport {
|
|
||||||
if (source = RTS_DEVICE) || (net = ::/0)
|
|
||||||
then accept;
|
|
||||||
else reject;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
protocol ospf {
|
protocol ospf {
|
||||||
export filter ospfexport;
|
area 0 {
|
||||||
import all;
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
area 0 {
|
stubnet 2001:db8:40::1/128;
|
||||||
interface "lo" {
|
interface "vlan216" {
|
||||||
stub;
|
};
|
||||||
};
|
interface "vlan3" {
|
||||||
interface "vlan1001" {
|
stub;
|
||||||
};
|
};
|
||||||
interface "vlan1012" {
|
};
|
||||||
};
|
}
|
||||||
interface "vlan1356" {
|
|
||||||
stub;
|
|
||||||
};
|
|
||||||
interface "vlan10" {
|
|
||||||
type broadcast;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
|
protocol bgp ibgp_r3 {
|
||||||
|
local 2001:db8:40::1 as 64080;
|
||||||
|
neighbor 2001:db8:40::3 as 64080;
|
||||||
|
}
|
||||||
|
|
|
@ -1,16 +1,24 @@
|
||||||
auto lo
|
auto lo
|
||||||
iface lo inet loopback
|
iface lo inet loopback
|
||||||
up ip addr add 10.9.99.1/32 dev lo
|
up ip addr add 10.40.217.1/32 dev lo
|
||||||
down ip addr del 10.9.99.1/32 dev lo
|
up ip addr add 2001:db8:40::1 dev lo
|
||||||
|
down ip addr del 2001:db8:40::1 dev lo
|
||||||
|
down ip addr del 10.40.217.1/32 dev lo
|
||||||
|
|
||||||
iface vlan10 inet manual
|
auto vlan3
|
||||||
pre-up iptables-restore < /etc/network/firewall
|
iface vlan3 inet manual
|
||||||
up ip link set up dev vlan10
|
up ip link set up dev vlan3
|
||||||
up ip addr add 198.51.100.13/26 brd + dev vlan10
|
up ip addr add 10.40.3.1/24 brd + dev vlan3
|
||||||
up ip route add default via 198.51.100.1 dev vlan10
|
up ip addr add 2001:db8:40:3::1/120 dev vlan3
|
||||||
up ip -6 addr add 2001:db8:1998::19/120 dev vlan10
|
down ip addr del 2001:db8:40:3::1/120 dev vlan3
|
||||||
up ip -6 route add default via 2001:db8:1998::1 dev vlan10
|
down ip addr del 10.40.3.1/24 dev vlan3
|
||||||
down ip addr del 198.51.100.19/26 dev vlan10
|
down up link set down dev vlan3
|
||||||
down ip -6 addr del 2001:db8:1998::19/120 dev vlan10
|
|
||||||
down ip link set down dev vlan10
|
|
||||||
|
|
||||||
|
auto vlan216
|
||||||
|
iface vlan216 inet manual
|
||||||
|
up ip link set up dev vlan216
|
||||||
|
up ip addr add 10.40.216.3/28 brd + dev vlan216
|
||||||
|
up ip addr add 2001:db8:40:d8::3/120 dev vlan216
|
||||||
|
down ip addr del 2001:db8:40:d8::3/120 dev vlan216
|
||||||
|
down ip addr del 10.40.216.3/28 dev vlan216
|
||||||
|
down up link set down dev vlan216
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R10/rootfs
|
||||||
|
lxc.uts.name = R10
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan33
|
||||||
|
lxc.net.0.veth.pair = r10.33
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:21:01
|
||||||
|
|
||||||
|
lxc.net.1.type = veth
|
||||||
|
lxc.net.1.flags = up
|
||||||
|
lxc.net.1.name = vlan217
|
||||||
|
lxc.net.1.veth.pair = r10.217
|
||||||
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.hwaddr = 02:00:0a:28:d9:11
|
|
@ -0,0 +1,59 @@
|
||||||
|
router id 10.40.32.10;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
interface "lo" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan217" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# eBGP R3
|
||||||
|
#
|
||||||
|
|
||||||
|
table t_r3;
|
||||||
|
|
||||||
|
protocol static originate_to_r3 {
|
||||||
|
table t_r3;
|
||||||
|
import all; # originate here
|
||||||
|
route 10.40.0.0/22 blackhole;
|
||||||
|
route 10.40.216.0/21 blackhole;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ebgp_r3 {
|
||||||
|
table t_r3;
|
||||||
|
neighbor 10.40.217.17 as 64080;
|
||||||
|
local 10.40.217.18 as 65033;
|
||||||
|
import filter {
|
||||||
|
if net ~ [ 10.0.0.0/8{19,24} ] then accept;
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
import keep filtered on;
|
||||||
|
export where source = RTS_STATIC;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol pipe p_master_to_r3 {
|
||||||
|
table master;
|
||||||
|
peer table t_r3;
|
||||||
|
import where source = RTS_BGP;
|
||||||
|
export none;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,54 @@
|
||||||
|
router id 10.40.32.10;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird6.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
|
stubnet 2001:db8:10:6::a/128;
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan217" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# eBGP R3
|
||||||
|
#
|
||||||
|
|
||||||
|
table t_r3;
|
||||||
|
|
||||||
|
protocol static originate_to_r3 {
|
||||||
|
table t_r3;
|
||||||
|
import all; # originate here
|
||||||
|
route 2001:db8:10::/48 blackhole;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ebgp_r3 {
|
||||||
|
table t_r3;
|
||||||
|
neighbor 2001:db8:40:d910::1 as 64080;
|
||||||
|
local 2001:db8:40:d910::2 as 65033;
|
||||||
|
import all;
|
||||||
|
import keep filtered on;
|
||||||
|
export where source = RTS_STATIC;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol pipe p_master_to_r3 {
|
||||||
|
table master;
|
||||||
|
peer table t_r3;
|
||||||
|
import where source = RTS_BGP;
|
||||||
|
export none;
|
||||||
|
}
|
||||||
|
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
up ip addr add 10.40.32.10/32 dev lo
|
||||||
|
up ip addr add 2001:db8:10:6::a dev lo
|
||||||
|
down ip addr del 2001:db8:10:6::a dev lo
|
||||||
|
down ip addr del 10.40.32.10/32 dev lo
|
||||||
|
|
||||||
|
auto vlan33
|
||||||
|
iface vlan33 inet manual
|
||||||
|
up ip link set up dev vlan33
|
||||||
|
up ip addr add 10.40.33.1/26 brd + dev vlan33
|
||||||
|
up ip addr add 2001:db8:10:21::1/120 dev vlan33
|
||||||
|
down ip addr del 2001:db8:10:21::1/120 dev vlan33
|
||||||
|
down ip addr del 10.40.33.1/26 dev vlan33
|
||||||
|
down up link set down dev vlan33
|
||||||
|
|
||||||
|
auto vlan217
|
||||||
|
iface vlan217 inet manual
|
||||||
|
up ip link set up dev vlan217
|
||||||
|
up ip addr add 10.40.217.18/30 brd + dev vlan217
|
||||||
|
up ip addr add 2001:db8:40:d910::2/120 dev vlan217
|
||||||
|
down ip addr del 2001:db8:40:d910::2/120 dev vlan217
|
||||||
|
down ip addr del 10.40.217.18/30 dev vlan217
|
||||||
|
down up link set down dev vlan217
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R11/rootfs
|
||||||
|
lxc.uts.name = R11
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan33
|
||||||
|
lxc.net.0.veth.pair = r11.33
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:21:02
|
||||||
|
|
||||||
|
lxc.net.1.type = veth
|
||||||
|
lxc.net.1.flags = up
|
||||||
|
lxc.net.1.name = vlan48
|
||||||
|
lxc.net.1.veth.pair = r11.48
|
||||||
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.hwaddr = 02:00:0a:28:30:01
|
|
@ -0,0 +1,26 @@
|
||||||
|
router id 10.40.32.11;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
interface "lo" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan48" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
router id 10.40.32.11;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird6.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
|
stubnet 2001:db8:10:6::b/128;
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan48" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
up ip addr add 10.40.32.11/32 dev lo
|
||||||
|
up ip addr add 2001:db8:10:6::b dev lo
|
||||||
|
down ip addr del 2001:db8:10:6::b dev lo
|
||||||
|
down ip addr del 10.40.32.11/32 dev lo
|
||||||
|
|
||||||
|
auto vlan48
|
||||||
|
iface vlan48 inet manual
|
||||||
|
up ip link set up dev vlan48
|
||||||
|
up ip addr add 10.40.48.1/21 brd + dev vlan48
|
||||||
|
up ip addr add 2001:db8:10:30::1/117 dev vlan48
|
||||||
|
down ip addr del 2001:db8:10:30::1/117 dev vlan48
|
||||||
|
down ip addr del 10.40.48.1/21 dev vlan48
|
||||||
|
down up link set down dev vlan48
|
||||||
|
|
||||||
|
auto vlan33
|
||||||
|
iface vlan33 inet manual
|
||||||
|
up ip link set up dev vlan33
|
||||||
|
up ip addr add 10.40.33.2/26 brd + dev vlan33
|
||||||
|
up ip addr add 2001:db8:10:21::2/120 dev vlan33
|
||||||
|
down ip addr del 2001:db8:10:21::2/120 dev vlan33
|
||||||
|
down ip addr del 10.40.33.2/26 dev vlan33
|
||||||
|
down up link set down dev vlan33
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R12/rootfs
|
||||||
|
lxc.uts.name = R12
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan33
|
||||||
|
lxc.net.0.veth.pair = r12.33
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:21:03
|
||||||
|
|
||||||
|
lxc.net.1.type = veth
|
||||||
|
lxc.net.1.flags = up
|
||||||
|
lxc.net.1.name = vlan36
|
||||||
|
lxc.net.1.veth.pair = r12.36
|
||||||
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.hwaddr = 02:00:0a:28:24:01
|
|
@ -0,0 +1,26 @@
|
||||||
|
router id 10.40.32.12;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
interface "lo" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan36" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,25 @@
|
||||||
|
router id 10.40.32.12;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird6.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
|
stubnet 2001:db8:10:6::c/128;
|
||||||
|
interface "vlan33" {
|
||||||
|
};
|
||||||
|
interface "vlan36" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
up ip addr add 10.40.32.12/32 dev lo
|
||||||
|
up ip addr add 2001:db8:10:6::c dev lo
|
||||||
|
down ip addr del 2001:db8:10:6::c dev lo
|
||||||
|
down ip addr del 10.40.32.12/32 dev lo
|
||||||
|
|
||||||
|
auto vlan36
|
||||||
|
iface vlan36 inet manual
|
||||||
|
up ip link set up dev vlan36
|
||||||
|
up ip addr add 10.40.36.1/24 brd + dev vlan36
|
||||||
|
up ip addr add 2001:db8:10:24::1/120 dev vlan36
|
||||||
|
down ip addr del 2001:db8:10:24::1/120 dev vlan36
|
||||||
|
down ip addr del 10.40.36.1/24 dev vlan36
|
||||||
|
down up link set down dev vlan36
|
||||||
|
|
||||||
|
auto vlan33
|
||||||
|
iface vlan33 inet manual
|
||||||
|
up ip link set up dev vlan33
|
||||||
|
up ip addr add 10.40.33.3/26 brd + dev vlan33
|
||||||
|
up ip addr add 2001:db8:10:21::3/120 dev vlan33
|
||||||
|
down ip addr del 2001:db8:10:21::3/120 dev vlan33
|
||||||
|
down ip addr del 10.40.33.3/26 dev vlan33
|
||||||
|
down up link set down dev vlan33
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
27
R2/config
27
R2/config
|
@ -15,30 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/R2/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R2/rootfs
|
||||||
lxc.uts.name = R2
|
lxc.uts.name = R2
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1012
|
|
||||||
lxc.net.0.veth.pair = r2.1012
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:01:02:7b
|
|
||||||
lxc.net.0.ipv4.address = 10.1.2.123/24
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:2::123/64
|
|
||||||
lxc.net.1.type = veth
|
|
||||||
lxc.net.1.flags = up
|
|
||||||
lxc.net.1.name = vlan1082
|
|
||||||
lxc.net.1.veth.pair = r2.1082
|
|
||||||
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.hwaddr = 02:00:0a:08:02:01
|
|
||||||
lxc.net.1.ipv4.address = 10.8.2.1/24
|
|
||||||
lxc.net.1.ipv6.address = 2001:db8:2501:82::1/64
|
|
||||||
lxc.net.2.type = veth
|
|
||||||
lxc.net.2.flags = up
|
|
||||||
lxc.net.2.name = vlan1050
|
|
||||||
lxc.net.2.veth.pair = r2.1050
|
|
||||||
lxc.net.2.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.2.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.2.hwaddr = 02:00:0a:32:01:01
|
|
||||||
lxc.net.2.ipv4.address = 10.50.1.1/24
|
|
||||||
lxc.net.2.ipv6.address = 2001:db8:2501:501::1/64
|
|
||||||
|
|
|
@ -0,0 +1,33 @@
|
||||||
|
# Template used to create this container: /usr/share/lxc/templates/lxc-debian
|
||||||
|
# Parameters passed to the template: -r stretch
|
||||||
|
# Template script checksum (SHA-1): d5aa397522e36a17c64c014dd63c70d8607c9873
|
||||||
|
# For additional config options, please look at lxc.container.conf(5)
|
||||||
|
# Uncomment the following line to support nesting containers:
|
||||||
|
#lxc.include = /usr/share/lxc/config/nesting.conf
|
||||||
|
# (Be aware this has security implications)
|
||||||
|
lxc.apparmor.profile = generated
|
||||||
|
lxc.apparmor.allow_nesting = 1
|
||||||
|
# Common configuration
|
||||||
|
lxc.include = /usr/share/lxc/config/debian.common.conf
|
||||||
|
# Container specific configuration
|
||||||
|
lxc.tty.max = 4
|
||||||
|
lxc.arch = amd64
|
||||||
|
lxc.pty.max = 1024
|
||||||
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R3/rootfs
|
||||||
|
lxc.uts.name = R3
|
||||||
|
|
||||||
|
lxc.net.0.type = veth
|
||||||
|
lxc.net.0.flags = up
|
||||||
|
lxc.net.0.name = vlan216
|
||||||
|
lxc.net.0.veth.pair = r3.216
|
||||||
|
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.0.hwaddr = 02:00:0a:28:d8:01
|
||||||
|
|
||||||
|
lxc.net.1.type = veth
|
||||||
|
lxc.net.1.flags = up
|
||||||
|
lxc.net.1.name = vlan217
|
||||||
|
lxc.net.1.veth.pair = r3.217
|
||||||
|
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
||||||
|
lxc.net.1.hwaddr = 02:00:0a:28:d9:10
|
|
@ -0,0 +1,58 @@
|
||||||
|
router id 10.40.217.3;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
interface "lo" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
interface "vlan216" {
|
||||||
|
};
|
||||||
|
interface "vlan217" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
# eBGP R10
|
||||||
|
#
|
||||||
|
|
||||||
|
table t_r10;
|
||||||
|
|
||||||
|
protocol static originate_to_r10 {
|
||||||
|
table t_r10;
|
||||||
|
import all; # originate here
|
||||||
|
route 10.40.0.0/22 blackhole;
|
||||||
|
route 10.40.216.0/21 blackhole;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ebgp_r10 {
|
||||||
|
table t_r10;
|
||||||
|
local 10.40.217.17 as 64080;
|
||||||
|
neighbor 10.40.217.18 as 65033;
|
||||||
|
import filter {
|
||||||
|
if net ~ [ 10.0.0.0/8{19,24} ] then accept;
|
||||||
|
reject;
|
||||||
|
};
|
||||||
|
import keep filtered on;
|
||||||
|
export where source = RTS_STATIC;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol pipe p_master_to_r10 {
|
||||||
|
table master;
|
||||||
|
peer table t_r10;
|
||||||
|
import where source = RTS_BGP;
|
||||||
|
export none;
|
||||||
|
}
|
|
@ -0,0 +1,62 @@
|
||||||
|
router id 10.40.217.3;
|
||||||
|
|
||||||
|
log "/var/log/bird/bird6.log" all;
|
||||||
|
debug protocols { states, routes, filters, interfaces }
|
||||||
|
|
||||||
|
protocol kernel {
|
||||||
|
import none;
|
||||||
|
export all;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol device {
|
||||||
|
# defaults...
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol ospf {
|
||||||
|
area 0 {
|
||||||
|
# BIRD ignores the IPv6 lo because it has no link local address
|
||||||
|
stubnet 2001:db8:40::3/128;
|
||||||
|
interface "vlan216" {
|
||||||
|
};
|
||||||
|
interface "vlan217" {
|
||||||
|
stub;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
##############################################################################
|
||||||
|
# eBGP R10
|
||||||
|
#
|
||||||
|
|
||||||
|
table t_r10;
|
||||||
|
|
||||||
|
protocol static originate_to_r10 {
|
||||||
|
table t_r10;
|
||||||
|
import all; # originate here
|
||||||
|
route 2001:db8:40::/48 blackhole;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol bgp ebgp_r10 {
|
||||||
|
table t_r10;
|
||||||
|
local 2001:db8:40:d910::1 as 64080;
|
||||||
|
neighbor 2001:db8:40:d910::2 as 65033;
|
||||||
|
import all;
|
||||||
|
import keep filtered on;
|
||||||
|
export where source = RTS_STATIC;
|
||||||
|
}
|
||||||
|
|
||||||
|
protocol pipe p_master_to_r10 {
|
||||||
|
table master;
|
||||||
|
peer table t_r10;
|
||||||
|
import where source = RTS_BGP;
|
||||||
|
export none;
|
||||||
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# iBGP
|
||||||
|
#
|
||||||
|
protocol bgp ibgp_r1 {
|
||||||
|
import none;
|
||||||
|
export where source = RTS_BGP;
|
||||||
|
local 2001:db8:40::3 as 64080;
|
||||||
|
neighbor 2001:db8:40::1 as 64080;
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
127.0.0.1 localhost
|
||||||
|
::1 localhost ip6-localhost ip6-loopback
|
||||||
|
ff02::1 ip6-allnodes
|
||||||
|
ff02::2 ip6-allrouters
|
||||||
|
|
|
@ -0,0 +1,24 @@
|
||||||
|
auto lo
|
||||||
|
iface lo inet loopback
|
||||||
|
up ip addr add 10.40.217.3/32 dev lo
|
||||||
|
up ip addr add 2001:db8:40::3 dev lo
|
||||||
|
down ip addr del 2001:db8:40::3 dev lo
|
||||||
|
down ip addr del 10.40.217.3/32 dev lo
|
||||||
|
|
||||||
|
auto vlan216
|
||||||
|
iface vlan216 inet manual
|
||||||
|
up ip link set up dev vlan216
|
||||||
|
up ip addr add 10.40.216.1/28 brd + dev vlan216
|
||||||
|
up ip addr add 2001:db8:40:d8::1/120 dev vlan216
|
||||||
|
down ip addr del 2001:db8:40:d8::1/120 dev vlan216
|
||||||
|
down ip addr del 10.40.216.1/28 dev vlan216
|
||||||
|
down up link set down dev vlan216
|
||||||
|
|
||||||
|
auto vlan217
|
||||||
|
iface vlan217 inet manual
|
||||||
|
up ip link set up dev vlan217
|
||||||
|
up ip addr add 10.40.217.17/30 brd + dev vlan217
|
||||||
|
up ip addr add 2001:db8:40:d910::1/120 dev vlan217
|
||||||
|
down ip addr del 2001:db8:40:d910::1/120 dev vlan217
|
||||||
|
down ip addr del 10.40.217.17/30 dev vlan217
|
||||||
|
down up link set down dev vlan217
|
|
@ -0,0 +1,79 @@
|
||||||
|
#
|
||||||
|
# /etc/sysctl.conf - Configuration file for setting system variables
|
||||||
|
# See /etc/sysctl.d/ for additional system variables.
|
||||||
|
# See sysctl.conf (5) for information.
|
||||||
|
#
|
||||||
|
|
||||||
|
#kernel.domainname = example.com
|
||||||
|
|
||||||
|
# Uncomment the following to stop low-level messages on console
|
||||||
|
#kernel.printk = 3 4 1 3
|
||||||
|
|
||||||
|
##############################################################3
|
||||||
|
# Functions previously found in netbase
|
||||||
|
#
|
||||||
|
|
||||||
|
# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
|
||||||
|
# Turn on Source Address Verification in all interfaces to
|
||||||
|
# prevent some spoofing attacks
|
||||||
|
#net.ipv4.conf.default.rp_filter=1
|
||||||
|
#net.ipv4.conf.all.rp_filter=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable TCP/IP SYN cookies
|
||||||
|
# See http://lwn.net/Articles/277146/
|
||||||
|
# Note: This may impact IPv6 TCP sessions too
|
||||||
|
#net.ipv4.tcp_syncookies=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv4
|
||||||
|
net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
# Uncomment the next line to enable packet forwarding for IPv6
|
||||||
|
# Enabling this option disables Stateless Address Autoconfiguration
|
||||||
|
# based on Router Advertisements for this host
|
||||||
|
net.ipv6.conf.all.forwarding=1
|
||||||
|
|
||||||
|
net.ipv4.icmp_ratelimit = 0
|
||||||
|
net.ipv6.icmp.ratelimit = 0
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Additional settings - these settings can improve the network
|
||||||
|
# security of the host and prevent against some network attacks
|
||||||
|
# including spoofing attacks and man in the middle attacks through
|
||||||
|
# redirection. Some network environments, however, require that these
|
||||||
|
# settings are disabled so review and enable them as needed.
|
||||||
|
#
|
||||||
|
# Do not accept ICMP redirects (prevent MITM attacks)
|
||||||
|
#net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
#net.ipv6.conf.all.accept_redirects = 0
|
||||||
|
# _or_
|
||||||
|
# Accept ICMP redirects only for gateways listed in our default
|
||||||
|
# gateway list (enabled by default)
|
||||||
|
# net.ipv4.conf.all.secure_redirects = 1
|
||||||
|
#
|
||||||
|
# Do not send ICMP redirects (we are not a router)
|
||||||
|
#net.ipv4.conf.all.send_redirects = 0
|
||||||
|
#
|
||||||
|
# Do not accept IP source route packets (we are not a router)
|
||||||
|
#net.ipv4.conf.all.accept_source_route = 0
|
||||||
|
#net.ipv6.conf.all.accept_source_route = 0
|
||||||
|
#
|
||||||
|
# Log Martian Packets
|
||||||
|
#net.ipv4.conf.all.log_martians = 1
|
||||||
|
#
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Magic system request Key
|
||||||
|
# 0=disable, 1=enable all
|
||||||
|
# Debian kernels have this set to 0 (disable the key)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysrq.txt
|
||||||
|
# for what other values do
|
||||||
|
#kernel.sysrq=1
|
||||||
|
|
||||||
|
###################################################################
|
||||||
|
# Protected links
|
||||||
|
#
|
||||||
|
# Protects against creating or following links under certain conditions
|
||||||
|
# Debian kernels have both set to 1 (restricted)
|
||||||
|
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
|
||||||
|
#fs.protected_hardlinks=0
|
||||||
|
#fs.protected_symlinks=0
|
18
R5/config
18
R5/config
|
@ -15,21 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/R5/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R5/rootfs
|
||||||
lxc.uts.name = R5
|
lxc.uts.name = R5
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1001
|
|
||||||
lxc.net.0.veth.pair = r5.1001
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:00:01:04
|
|
||||||
lxc.net.0.ipv4.address = 10.0.1.4/24
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:1::4/64
|
|
||||||
lxc.net.1.type = veth
|
|
||||||
lxc.net.1.flags = up
|
|
||||||
lxc.net.1.name = vlan1012
|
|
||||||
lxc.net.1.veth.pair = r5.1012
|
|
||||||
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.hwaddr = 02:00:0a:01:02:38
|
|
||||||
lxc.net.1.ipv4.address = 10.1.2.56/24
|
|
||||||
lxc.net.1.ipv6.address = 2001:db8:2501:2::56/64
|
|
||||||
|
|
18
R6/config
18
R6/config
|
@ -15,21 +15,3 @@ lxc.arch = amd64
|
||||||
lxc.pty.max = 1024
|
lxc.pty.max = 1024
|
||||||
lxc.rootfs.path = btrfs:/var/lib/lxc/R6/rootfs
|
lxc.rootfs.path = btrfs:/var/lib/lxc/R6/rootfs
|
||||||
lxc.uts.name = R6
|
lxc.uts.name = R6
|
||||||
lxc.net.0.type = veth
|
|
||||||
lxc.net.0.flags = up
|
|
||||||
lxc.net.0.name = vlan1001
|
|
||||||
lxc.net.0.veth.pair = r6.1001
|
|
||||||
lxc.net.0.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.0.hwaddr = 02:00:0a:00:01:08
|
|
||||||
lxc.net.0.ipv4.address = 10.0.1.8/24
|
|
||||||
lxc.net.0.ipv6.address = 2001:db8:2501:1::8/64
|
|
||||||
lxc.net.1.type = veth
|
|
||||||
lxc.net.1.flags = up
|
|
||||||
lxc.net.1.name = vlan1034
|
|
||||||
lxc.net.1.veth.pair = r6.1034
|
|
||||||
lxc.net.1.script.up = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.script.down = /etc/lxc/lxc-openvswitch
|
|
||||||
lxc.net.1.hwaddr = 02:00:0a:2b:02:01
|
|
||||||
lxc.net.1.ipv4.address = 10.34.2.1/24
|
|
||||||
lxc.net.1.ipv6.address = 2001:db8:2501:342::1/64
|
|
||||||
|
|
Loading…
Reference in New Issue