def make_security(): for i, r in enumerate(topo.ROUTERS): print(" Firewall on", r) # Security with ip6tables # # the ip6tables rules are splitted in 12 different files, located in template/security/iptable. # We made this repartition because some files will be used several time in for loops, # other will be used just one time, other will be used only on border routers # (where BGP is established) ... # Furthumore, the order of the files is important as as when scanning a packet, the firewall stops # soon as it founds a rule matching this packet. append(startup(r), "security/iptables/1_router_all.sh", {"router": r}) if r == "PYTH": append(startup(r), "security/iptables/2_router_border_block_hop_limit.sh", {"interface": "belnetb", "prefix": "fd00:0300:0001"}) if r == "HALL": append(startup(r), "security/iptables/2_router_border_block_hop_limit.sh", {"interface": "belneta", "prefix": "fd00:0200:0001"}) append(startup(r), "security/iptables/3_router_all.sh") for interface in topo.get_interfaces(r): if "lan" in interface: append(startup(r), "security/iptables/4_router_spoofing_and_ospf_restrictions.sh", {"interface": interface, "suffix": topo.IPS[interface]}) if r == "PYTH": append(startup(r), "security/iptables/5_router_border_network.sh", {"interface": "belnetb", "prefix": "fd00:0300:0001", "router":r}) if r == "HALL": append(startup(r), "security/iptables/5_router_border_network.sh", {"interface": "belneta", "prefix": "fd00:0200:0001", "router":r}) append(startup(r), "security/iptables/6_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/6_router_forward_user0.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/7_router_all.sh") append(startup(r), "security/iptables/8_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/8_router_avoid_students_server_lan.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/9_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/9_router_forward_user1.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/10_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/10_router_forward_user2.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/11_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/11_router_forward_user3.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/12_comments.txt", cr=False) for z in range(0x0, 0x10): z = format(z, 'x') append(startup(r), "security/iptables/12_router_forward_user4.sh", {"zone": z}, cr=False) append(startup(r), "security/iptables/13_router_forward_last_rules.sh")
def __router_advertisement(r): append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_head.conf", {}) for f in topo.get_interfaces(r): if "lan" in f: append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_copy.conf", { "iface": f, "ip": topo.IPS[f].replace('::ff', '::0/64') }) append(unshared(r, "/etc/bird/bird6.conf"), "addressing/router_advertisement/radvd_foot.conf", { "dns": topo.IPS["[DNS1]-lo"] }) append(startup(r), "config_helpers/periodic.sh", {"script": "/var/automatic_advertised_ip.sh"});
def __dhcp_relay(r): interfaces_list_dhcp_forward_to = [] interfaces_list_dhcp_listen_on = [] dhcp_ip = topo.IPS["DHC1-eth0"] dhcp2_ip = topo.IPS["DHC2-eth0"] for interf_name in topo.get_interfaces(r): interfaces_list_dhcp_listen_on.append('-l ' + interf_name) if "eth" in interf_name: interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp2_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp2_ip + "%" + interf_name) if "lan" in interf_name: if r == "CARN" and interf_name == "CARN-lan1": interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_A + ":" + dhcp2_ip + "%" + interf_name) interfaces_list_dhcp_forward_to.append("-u " + topo.PREFIX_B + ":" + dhcp2_ip + "%" + interf_name) append(startup(r), "addressing/dhcp/dhcp_relay.sh", {"node": r, "forward_to": " ".join(interfaces_list_dhcp_forward_to), "listen_on": " ".join(interfaces_list_dhcp_listen_on)})
def make_qos(): for i, r in enumerate(topo.ROUTERS): print(" Adding QOS to ", r) for interface in topo.get_interfaces(r): append(startup(r), "qos/shaping.sh", {"interface": interface})
def make_staticinit(): ''' Preinitialisation of the system: assigning static IPs, ... (everything that isn't routing, security, ...) ''' # Adding global shared files across all nodes print(" Adding static files") global_files = [ ("/var/www/html/chien/index.html", "services/http/chien/index.html"), ("/var/www/html/website/index.html", "services/http/website/index.html"), ("/var/www/html/grading/index.html", "services/http/grading/index.html"), ('/var/automatic_advertised_ip.sh', 'addressing/router_advertisement/automatic_advertised_ip.sh'), ('/var/automatic_source_ip.sh', 'config_helpers/automatic_source_ip.sh'), ] append(unshared("TEST", "/etc/resolv.conf"), "config_helpers/resolv_test.conf"); for destfile, sourcefile in global_files: quiet_remove(destfile) append(shared(destfile), sourcefile) # Adding static IPS to routers print(" Adding router static IPS") for m in topo.ROUTERS + ["DNS1", "DNS2"]: add_text(startup(m), banner("Static routes and ips")) # For every link for interface in topo.get_interfaces(m): prefix = topo.IPS[interface] prefix_len = "/64" if interface in ["DNS1-eth0", "DNS2-eth0", "MICH-eth3", "CARN-eth3"]: prefix_len = "/127" # most restrained link for DNS append( startup(m), "config_helpers/assignation_dual_prefixed.sh", {"interface": interface, "ip":prefix+ prefix_len} ) # And for loopback append(startup(m), "config_helpers/assignation_loopback.sh", {"ip": topo.IPS["[" + m + "]-lo"]}) # Adding static IPS to services print(" Adding datacenter static IPS") for m in topo.STATIC_SERVICES: if not m in ["DNS1", "DNS2"]: for interface in topo.get_interfaces(m): append(startup(m), "config_helpers/assignation_dual_prefixed.sh", {"interface": interface, "ip": topo.IPS[interface] + "/64"}) # Adding static routes to services print(" Adding datacenter static routes") for m in topo.STATIC_SERVICES: if not m in ["DNS1", "DNS2"]: append(startup(m), "routing/static/default_route.sh", {"gateway": "via fd00:0200:0001:" + topo.IPS["CARN-lan0"]}) # Adding a test host (external to the network) print(" Adding TEST node") # ip address append(startup("TEST"), "config_helpers/assignation_single_noprefix.sh", {"interface": "output", "ip": "fd00:face::b00c"}); # default route append(startup("TEST"), "routing/static/direct_route.sh", {"target": "fd00:200::1", "dev": "output"}) append(startup("TEST"), "routing/static/default_route.sh", {"gateway": "via fd00:0200::1"}) # additional route on PYTH append(startup("PYTH"), "routing/static/direct_route.sh", {"target": "fd00:face::b00c", "dev": "belnetb"}) # Adding link to BGP peers append(startup("PYTH"), "config_helpers/assignation_single_noprefix.sh", {"interface": "belnetb", "ip": topo.IPS["belnetb"] + "/64"}) append(startup("HALL"), "config_helpers/assignation_single_noprefix.sh", {"interface": "belneta", "ip": topo.IPS["belneta"] + "/64"}) # Adding automatic source selection on statically assigned IP machines print(" Setting source IP selection on routers & machines") for m in topo.ROUTERS + topo.STATIC_SERVICES: add_text(startup(m), banner("Automatic source selection")) append(startup(m), "config_helpers/periodic.sh", {"script": "/var/automatic_source_ip.sh"})