-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsetupIPSEC.sh
198 lines (160 loc) · 7 KB
/
setupIPSEC.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
#!/bin/bash
# File: setup.sh
#
# Description:
# Script to set the environment to run the basic NED prototype software.
# It instatiates virtual switches, setup the network configuration of the virtual interfaces,
# sets the appropriate flows in the switches, then it finally starts up the PSCM and TVDM.
# Run this as administrator!
#
# Params:
# - $1 physical network interface with internet access
# - $2 [opt] interface to which physical devices are connected
#
# Authors: Roberto Bonafiglia, Francesco Ciaccia
#Parameters for the setup script
IP_VERIFIER=147.83.42.130 #To change with the verifier IP
IP_IPSec_Endpoint=10.2.2.254/16 #IP of the IPSec Endpoint should contains the IP Addresses of the user and the PSA avoid to be on the sam net of the user
IP_PSCM=10.2.2.253/16 #IP of the PSCM should be the same of the client
IP_User_NAT=10.2.2.252/16 #IP of the NAT used by the IPSec endpoint
NET_IPSec_CLIENT=10.2.0.0/16 #NET address of the client connected through IPSec
# It requires to give the name of the port connected to the internet
[ $# -eq 0 ] && { echo "Usage: $0 internetPort [externalClientsPort]"; exit 1; }
# Integrity check for provided interfaces names
ifconfig | grep -q $1
[ $? -ne 0 ] && { echo "Interface $1 not found"; exit 1; }
if [ $# -eq 2 ]
then
ifconfig | grep -q $2
[ $? -ne 0 ] && { echo "Interface $2 not found"; exit 1; }
fi
#Reset the environment
for i in $(virsh list --all | awk '{print $2}' | tail -n +3)
do
virsh destroy $i
virsh undefine $i
done
#Clean of the used bridge
ovs-vsctl --if-exists del-br brNat
ovs-vsctl --if-exists del-br brData
ovs-vsctl --if-exists del-br brCtl
kill `cat tvdm.pid` `cat pscm.pid`
killall -s SIGKILL gunicorn > /dev/null 2>&1
#kill -s SIGKILL `cat /var/lib/dnsmasq/nedDHCP.pid` #> /dev/null 2>&1
kill -9 `cat /var/lib/dnsmasq/nedDHCP.pid` > /dev/null 2>&1
kill -9 `cat /var/lib/dnsmasq/userDHCP.pid` > /dev/null 2>&1
killall arping
ip netns del orchNet > /dev/null 2>&1
ip netns del natNs > /dev/null 2>&1
ip netns del ctrlNs > /dev/null 2>&1
ip rule flush
echo "ip rule flush"
ip rule | cut -d ':' -f2 | sed -e 's/^[ \t]*//' > /tmp/iprules.txt
while read p
do
ip rule del $p
done < /tmp/iprules.txt
ip rule
ip rule add lookup local
ip rule add from all lookup 220 pref 220
ip rule add from all lookup main pref 32766
ip rule add from all lookup default pref 32767
########
# remove routes leftovers
if [ `ip add show | grep "10\.2\." | wc -l` -gt 0 ]
then
echo "WARNING THERE IS A IFACE WITH IP 10.2... "
fi
# remove vm leftovers
rm -f /var/lib/libvirt/images/*-*-*-*-*.qcow2
for i in $(ls /sys/class/net/ | grep tap*)
do
/usr/sbin/ip link del $i &
done
########
cp rt_tables /etc/iproute2/rt_tables
ip xfrm policy flush
ip xfrm state flush
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
#This command will be used to generate the basic bridges and the various ports
echo "250 tapIPSEC" >> /etc/iproute2/rt_tables
ovs-vsctl add-br brNat
ovs-vsctl add-br brData
ovs-vsctl add-br brCtl
ovs-vsctl add-port brData tapIPSEC -- set Interface tapIPSEC type=internal
ovs-vsctl add-port brNat tapBr -- set Interface tapBr type=internal
ovs-vsctl add-port brNat tapExt -- set Interface tapExt type=internal
ovs-vsctl add-port brData tapPSCM -- set Interface tapPSCM type=internal
ovs-vsctl add-port brData tapNAT -- set Interface tapNAT type=internal
ovs-vsctl add-port brCtl tapOrch -- set Interface tapOrch type=internal
ovs-vsctl add-port brCtl tapDHCP -- set Interface tapDHCP type=internal
ovs-vsctl add-port brCtl tapCtl -- set Interface tapCtl type=internal
#Add default network namespace
mkdir -p /var/run/netns
ln -s /proc/1/ns/net /var/run/netns/default
#Configure the network
ip netns add orchNet
ip netns add natNs
ip link set tapOrch netns orchNet
ip link set tapCtl netns natNs
ip link set tapDHCP netns orchNet
ip link set tapNAT netns natNs
ip link set tapBr netns natNs
ifconfig tapIPSEC $IP_IPSec_Endpoint
ifconfig tapExt 192.168.0.1/24
ip netns exec natNs ifconfig tapNAT $IP_User_NAT
ip netns exec natNs ifconfig tapBr 192.168.0.2/24
ip netns exec orchNet ifconfig tapOrch 192.168.1.1/24
ip netns exec orchNet ifconfig tapDHCP 192.168.1.254/24
ip netns exec natNs ifconfig tapCtl 192.168.1.3/24
#ip netns exec pscmNs
ifconfig tapPSCM $IP_PSCM
ip netns exec orchNet ifconfig lo up
ip netns exec orchNet ip route add default via 192.168.1.3 dev tapOrch
mkdir -p /var/lib/dnsmasq/
echo "" > /var/lib/dnsmasq/nedDHCP.host
ip netns exec orchNet dnsmasq --conf-file=default.conf
ip netns exec natNs route add default gw 192.168.0.1 tapBr
ip route add $NET_IPSec_CLIENT dev tapIPSEC src `echo $IP_IPSec_Endpoint | sed 's/\/[0-9]*[0-9]//'` table tapIPSEC
ip route add default via `echo $IP_User_NAT | sed 's/\/[0-9]*[0-9]//'` dev tapIPSEC table tapIPSEC
ip rule add from $NET_IPSec_CLIENT table tapIPSEC
ip rule add to $NET_IPSec_CLIENT table tapIPSEC
IPSECport=$(ovs-ofctl show brData | grep tapIPSEC | awk '{print $1}' | sed -e 's/\([0-9]\).*/\1/')
NATport=$(ovs-ofctl show brData | grep tapNAT | awk '{print $1}' | sed -e 's/\([0-9]\).*/\1/')
ovs-ofctl del-flows brData
ovs-ofctl add-flow brData priority=1,in_port=$IPSECport,dl_type=0x806,actions=output:$NATport
ovs-ofctl add-flow brData priority=1,in_port=$NATport,dl_type=0x806,actions=output:$IPSECport
ovs-ofctl add-flow brData priority=1,in_port=$IPSECport,dl_type=0x800,actions=output:$NATport
ovs-ofctl add-flow brData priority=1,in_port=$NATport,dl_type=0x800,nw_src=$IP_VERIFIER,actions=output:$IPSECport
##Access to the verifier
ip route flush table 210
ip route add default via `ip route | awk '/default via/{print $3}'` table 210
ip rule add from $IP_VERIFIER to $NET_IPSec_CLIENT table 210 pref 1
ip rule add from $NET_IPSec_CLIENT to $IP_VERIFIER table 210 pref 1
iptables -t nat -A POSTROUTING -s $NET_IPSec_CLIENT -d $IP_VERIFIER -j MASQUERADE
###################
enabled_mob="$(sed -e 's/#.*$//' -e '/^$/d' tvdm.conf | grep '=' | grep mobility | sed "s/ //g" | cut -d '=' -f 2)"
if [ "$enabled_mob" = "True" ]; then
echo "Mobility enabled"
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
ip netns exec natNs iptables --table nat --append POSTROUTING --src 192.168.1.0/24 --out-interface tapBr -j MASQUERADE
else
echo "Mobility disabled"
iptables --table nat --append POSTROUTING --out-interface $1 -j MASQUERADE
ip netns exec natNs iptables --table nat --append POSTROUTING --out-interface tapBr -j MASQUERADE
fi
########
iptables --append FORWARD --in-interface tapExt -j ACCEPT
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o $1 -j TCPMSS --set-mss 1300
ip netns exec natNs iptables --append FORWARD --in-interface tapNAT -j ACCEPT
ip netns exec natNs iptables --append FORWARD --in-interface tapCtlExt -j ACCEPT
# Start PSCM and TVDM
ip netns exec orchNet gunicorn -b 192.168.1.1:8080 --pythonpath TVDM mainIPSEC:app -p tvdm.pid -D
gunicorn -b `echo $IP_PSCM | sed 's/\/[0-9]*[0-9]//'`:8080 --pythonpath PSCM main:app -p pscm.pid -D