|
|
The MLN ProjectComplex virtual machine management made easy |
Navigation |
fw101: Setting up a basic firewall scenario for students from scratchWritten by Kyrre BegnumThis page is being written as you read, come back later, please. This little tutorial shows how to use mln and user-mode-linux to set up basic virtual machines for students in an entry-level firewall course. SettingI am going to teach a course on "Firewalls and Intrusion Detection" and want to use Linux and Iptables as my main platform in the lab. Let's call the course fw101. I want to divide the students into groups and let each one of them have their own firewall to practice on. I wrote down the following requirements for my lab:
DesignEvery student group gets a gateway and two machines connected to a switch will be their internal network. The students will do most of the work on the gateway, so that one will get a bit of diskspace. The other two will act as dummies simply to send and receive traffic, so they won't need more than approximately 500MB of disk each.
For simplicity, I'll pretend I only have two groups. It is easy to expand this to more groups. Instead of creating one user for every student, I create one for each student group. All students in that group will log in with the same username and password. This enables me to run the virtual machines owned by that user and all students in that group can access its console. You may not want to use this approach, in my case however, I want them to have console access in case they lock up the network on their gateway ( I actually anticipate that to happen ). For the networking to work, I need to set up my machine with an ethernet bridge device so that the virtual machines appear to belong to the same network. One can set that up manually. I will use MLN for this as well. For the virtual machines, it will appear as if they are connected to a switch. Every gateway is going to mount a folder on the physical machine using a special filesystem called hostfs. The students will leave their assignements in that folder, so that I can collect them easily. PreparationI patched my kernel with the skas3 patch found here: < a href="http://user-mode-linux.sourceforge.net/dl-sf.html#Host patches">http://user-mode-linux.sourceforge.net/dl-sf.html#Host patchesThe patch is not strictly necessary. It is recommended, however, since it improves performance. Next, I installed some software: apt-get install user-mode-linux uml-utilities bridge-utils screen sudoI also have to create the directories for the assignements: mkdir /fw101 mkdir /fw101/gw1 mkdir /fw101/gw2I downloaded the lates version of MLN and two templates, sarge-thick-V0.4.ext2.tar.gz for the gateways and the smaller Debian-3.0r0-V0.3.ext2.tar.gz for the dummy machines. This is how I chose to set it all up: tar xzf mln-0.72.tar.gz mkdir /mln mkdir /mln/bin cp mln-0.72/mln /mln/bin export PATH=$PATH:/mln/binNext, I configure MLN: mkdir /mln/templates mkdir /mln/projects mkdir /mln/files echo "projects /mln/projects" > ~/.mln echo "templates /mln/templates" >> ~/.mln echo "files /mln/files" >> ~/.mln mln register_template -m "The dummy template" Debian-3.0r0-V0.3.ext2.tar.gz mln register_template -m "The gateway template" sarge-thick-V0.4.ext2.tar.gz Creating users and groupsadduser group1 adduser group2 addgroup fw101 usermod -G fw101 group1 usermod -G fw101 group1 chown group1 /fw101/gw1 chown group2 /fw101/gw2Choose passwords wisely. Next, we set up mln for the students too. The next steps are not strictly necessary, but in the next tutorial, we will see how students can create their own virtual networks so we might just as well prepare for that too. echo "projects /mln/projects" > ~group1/.mln echo "templates /mln/templates" >> ~group1/.mln echo "files /mln/files" >> ~group1/.mln echo "projects /mln/projects" > ~group2/.mln echo "templates /mln/templates" >> ~group2/.mln echo "files /mln/files" >> ~group2/.mln chgrp fw101 /mln/projects chgrp -R fw101 /mln/templates chgrp -R fw101 /mln/files chmod -R 775 /mln/projects chmod -R 775 /mln/templates chmod -R 775 /mln/filesThere are different approaches to this, you might want separate project directories. Defining the network using the MLN languageBefore we begin with the mln-file, let me point out the obvious, that this file won't work for you unless you change certain variables. I will try to make them easy to spot.I want root passwords on the gateways, and generate them like this: root:~# mkpasswd group1_password /d23ZbIBSuPYc root:~# mkpasswd group2_password qFxR2/RL3NOyoI cut and paste these two passowrds into the mln-file (you might want to come upt with better passwords then these). You can get a copy of the file here.
global {
project fw101
# you need to change these:
$my_dns = 128.39.89.10
$group1_addr = 128.39.73.140
$group2_addr = 128.39.73.150
$root_passwd1 = "/d23ZbIBSuPYc"
$root_passwd2 = "qFxR2/RL3NOyo"
}
# This switch will be connected through the
# bridge interface.
switch external {
tap tap0
group fw101
}
# This superclass defines most aspects
# of a gateway:
superclass gateway {
term screen
size 1500M
template sarge-thick.ext2
nameserver $my_dns
# external interface:
# everything but the address
network eth0 {
switch external
netmask 255.255.255.0
broadcast 128.39.89.255
gateway 128.39.73.1
}
# internal interface:
# everything but the switch
network eth1 {
address 10.0.0.1
netmask 255.255.255.0
broadcast 10.0.0.255
}
# Would you like to load all modules
# for the students, or just some?
modules {
iptable_nat
iptable_filter
ip_conntrack
ip_tables
ipt_MASQUERADE
}
}
# Definitions for the dummy host
superclass dummy_host {
nameserver $my_dns
template Debian-3.0r0.ext2
term screen
size 500MB
network eth0 {
netmask 255.255.255.0
gateway 10.0.0.1
broadcast 10.0.0.255
}
}
############################################
# This is where I define the actual hosts and switches.
# Every host and switch name will end with their group number
# Group 1
host gw1 {
sudo group1
superclass gateway
root_password $root_passwd1
network eth0 {
address $group1_addr
}
network eth1 {
switch switch1
}
mount {
/fw101/gw1 /fw101 hostfs rw
}
}
switch switch1 {
sudo group1
}
# first dummy
host dummy1-1 {
sudo group1
superclass dummy_host
network eth0 {
switch switch1
address 10.0.0.2
}
}
host dummy2-1 {
sudo group1
superclass dummy_host
network eth0 {
switch switch1
address 10.0.0.3
}
}
# Group 2
host gw2 {
superclass gateway
sudo group2
root_password $root_passwd2
network eth0 {
address $group2_addr
}
network eth1 {
switch switch2
}
mount {
/fw101/gw2 /fw101 hostfs rw
}
}
switch switch2 {
sudo group2
}
# first dummy
host dummy1-2 {
superclass dummy_host
sudo group2
network eth0 {
switch switch2
address 10.0.0.2
}
}
host dummy2-2 {
superclass dummy_host
sudo group2
network eth0 {
switch switch2
address 10.0.0.3
}
}
Building and starting the projectMost of the work is actually done now. It is time to build and start the project.mln build -f fw101.mln < snip, snip > . . ########### fw101 FINISHED ######### Saving Config file. Number of hosts configured: 6Before we start this project, we need to make sure the bridge interface is up (NOTE: Don't do this on a machine that runs a DHCP client, that could mess up your networking) mln enable_bridgeNext we start the project: root:~# mln start -p fw101 Setting up external Setting up switch1 Setting up switch2 Starting dummy1-1 Starting dummy1-2 Starting dummy2-1 Starting dummy2-2 Starting gw1 Starting gw2There. The users can now either log in directly into the virtual machines, or log into the physical machine and use screen -r hostname to access the consoles. You may want to check upon the status of the entire project using this command: root:~# mln status fw101 host dummy1-1 up fw101 host dummy1-2 up fw101 host dummy2-1 up fw101 host dummy2-2 up fw101 host gw1 up fw101 host gw2 up fw101 switch external up fw101 switch switch1 up fw101 switch switch2 up CommentsAdding more groups should not be any problem in this example, simply create more groups and expand the script to contain more networks. You can create more elaborate backnets too, with a DMZ and a LAN, if you want.Note, that the gateways mount up the folder /fw101/gwn, this is where I want them to store their assignements. I can easily collect them from that folder later on, and it is a good way to take backup, in case you want to rebuild the virtual hosts. Students may stop their own hosts, so you don't have to be available for them. But it might be a good idea, to tell them not to try and shut down the entire project, but to specify the hosts explicitly. To save diskspace, one could use smaller templates on the LAN-side. It depends on the functionality you want. The gatways won't forward any traffic the way they are set up now. But that is because I want the students to enable that in their excercises. In the next tutorial, we will have a look at how the students can build and run their own virtual networks and connect them to the internet. |