def make_security():
for i, r in enumerate(topo.ROUTERS):
print(" Firewall on", r)
# Security with ip6tables
#
# the ip6tables rules are splitted in 12 different files, located in template/security/iptable.
# We made this repartition because some files will be used several time in for loops,
# other will be used just one time, other will be used only on border routers
# (where BGP is established) ...
# Furthumore, the order of the files is important as as when scanning a packet, the firewall stops
# soon as it founds a rule matching this packet.
append(startup(r), "security/iptables/1_router_all.sh", {"router": r})
if r == "PYTH":
append(startup(r), "security/iptables/2_router_border_block_hop_limit.sh",
{"interface": "belnetb", "prefix": "fd00:0300:0001"})
if r == "HALL":
append(startup(r), "security/iptables/2_router_border_block_hop_limit.sh",
{"interface": "belneta", "prefix": "fd00:0200:0001"})
append(startup(r), "security/iptables/3_router_all.sh")
for interface in topo.get_interfaces(r):
if "lan" in interface:
append(startup(r), "security/iptables/4_router_spoofing_and_ospf_restrictions.sh",
{"interface": interface, "suffix": topo.IPS[interface]})
if r == "PYTH":
append(startup(r), "security/iptables/5_router_border_network.sh",
{"interface": "belnetb", "prefix": "fd00:0300:0001", "router":r})
if r == "HALL":
append(startup(r), "security/iptables/5_router_border_network.sh",
{"interface": "belneta", "prefix": "fd00:0200:0001", "router":r})
append(startup(r), "security/iptables/6_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/6_router_forward_user0.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/7_router_all.sh")
append(startup(r), "security/iptables/8_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/8_router_avoid_students_server_lan.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/9_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/9_router_forward_user1.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/10_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/10_router_forward_user2.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/11_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/11_router_forward_user3.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/12_comments.txt", cr=False)
for z in range(0x0, 0x10):
z = format(z, 'x')
append(startup(r), "security/iptables/12_router_forward_user4.sh", {"zone": z}, cr=False)
append(startup(r), "security/iptables/13_router_forward_last_rules.sh")
def __router_advertisement(r):
append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_head.conf", {})
for f in topo.get_interfaces(r):
if "lan" in f:
append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_copy.conf", {
"iface": f,
"ip": topo.IPS[f].replace('::ff', '::0/64')
})
append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_foot.conf",
{
"dns": topo.IPS["[DNS1]-lo"]
})
append(startup(r), "config_helpers/periodic.sh", {"script": "/var/automatic_advertised_ip.sh"});
def __dhcp_relay(r):
interfaces_list_dhcp_forward_to = []
interfaces_list_dhcp_listen_on = []
dhcp_ip = topo.IPS["DHC1-eth0"]
dhcp2_ip = topo.IPS["DHC2-eth0"]
for interf_name in topo.get_interfaces(r):
interfaces_list_dhcp_listen_on.append('-l ' + interf_name)
if "eth" in interf_name:
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp2_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp2_ip + "%" + interf_name)
if "lan" in interf_name:
if r == "CARN" and interf_name == "CARN-lan1":
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp2_ip + "%" + interf_name)
interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp2_ip + "%" + interf_name)
append(startup(r), "addressing/dhcp/dhcp_relay.sh",
{"node": r, "forward_to": " ".join(interfaces_list_dhcp_forward_to),
"listen_on": " ".join(interfaces_list_dhcp_listen_on)})
def make_qos():
for i, r in enumerate(topo.ROUTERS):
print(" Adding QOS to ", r)
for interface in topo.get_interfaces(r):
append(startup(r), "qos/shaping.sh", {"interface": interface})
def make_staticinit():
'''
Preinitialisation of the system: assigning static IPs, ...
(everything that isn't routing, security, ...)
'''
# Adding global shared files across all nodes
print(" Adding static files")
global_files = [
("/var/www/html/chien/index.html", "services/http/chien/index.html"),
("/var/www/html/website/index.html", "services/http/website/index.html"),
("/var/www/html/grading/index.html", "services/http/grading/index.html"),
('/var/automatic_advertised_ip.sh', 'addressing/router_advertisement/automatic_advertised_ip.sh'),
('/var/automatic_source_ip.sh', 'config_helpers/automatic_source_ip.sh'),
]
append(unshared("TEST", "/etc/resolv.conf"), "config_helpers/resolv_test.conf");
for destfile, sourcefile in global_files:
quiet_remove(destfile)
append(shared(destfile), sourcefile)
# Adding static IPS to routers
print(" Adding router static IPS")
for m in topo.ROUTERS + ["DNS1", "DNS2"]:
add_text(startup(m), banner("Static routes and ips"))
# For every link
for interface in topo.get_interfaces(m):
prefix = topo.IPS[interface]
prefix_len = "/64"
if interface in ["DNS1-eth0", "DNS2-eth0", "MICH-eth3", "CARN-eth3"]:
prefix_len = "/127" # most restrained link for DNS
append(
startup(m),
"config_helpers/assignation_dual_prefixed.sh",
{"interface": interface, "ip":prefix+ prefix_len}
)
# And for loopback
append(startup(m), "config_helpers/assignation_loopback.sh", {"ip": topo.IPS["[" + m + "]-lo"]})
# Adding static IPS to services
print(" Adding datacenter static IPS")
for m in topo.STATIC_SERVICES:
if not m in ["DNS1", "DNS2"]:
for interface in topo.get_interfaces(m):
append(startup(m), "config_helpers/assignation_dual_prefixed.sh",
{"interface": interface, "ip": topo.IPS[interface] + "/64"})
# Adding static routes to services
print(" Adding datacenter static routes")
for m in topo.STATIC_SERVICES:
if not m in ["DNS1", "DNS2"]:
append(startup(m), "routing/static/default_route.sh", {"gateway": "via fd00:0200:0001:" + topo.IPS["CARN-lan0"]})
# Adding a test host (external to the network)
print(" Adding TEST node")
# ip address
append(startup("TEST"), "config_helpers/assignation_single_noprefix.sh",
{"interface": "output", "ip": "fd00:face::b00c"});
# default route
append(startup("TEST"), "routing/static/direct_route.sh", {"target": "fd00:200::1", "dev": "output"})
append(startup("TEST"), "routing/static/default_route.sh", {"gateway": "via fd00:0200::1"})
# additional route on PYTH
append(startup("PYTH"), "routing/static/direct_route.sh", {"target": "fd00:face::b00c", "dev": "belnetb"})
# Adding link to BGP peers
append(startup("PYTH"), "config_helpers/assignation_single_noprefix.sh", {"interface": "belnetb", "ip": topo.IPS["belnetb"] + "/64"})
append(startup("HALL"), "config_helpers/assignation_single_noprefix.sh", {"interface": "belneta", "ip": topo.IPS["belneta"] + "/64"})
# Adding automatic source selection on statically assigned IP machines
print(" Setting source IP selection on routers & machines")
for m in topo.ROUTERS + topo.STATIC_SERVICES:
add_text(startup(m), banner("Automatic source selection"))
append(startup(m), "config_helpers/periodic.sh", {"script": "/var/automatic_source_ip.sh"})