1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"http://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type">
<title>CPIT Case Study Cont'd</title>
</head>
<body alink="#FF0000" vlink="#55188A" link="#0000EF" bgcolor="#FFFFFF" text="#000099">
<table border="0">
<tr align="left">
<td valign="top">
<table border="0">
<tr align="left"><td valign="top" >
<img src="http://user-mode-linux.sourceforge.net/uml-small.png" height="171" width="120"/>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/index.html">Site Home Page</a></font>
<br>
<font size="-1"><a href="http://uml.harlowhill.com">The UML Wiki</a></font>
<br>
<font size="-1"><a href="http://usermodelinux.org">UML Community Site</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/roadmap.html">The UML roadmap</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/uses.html">What it's good for</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/case-studies.html">Case Studies</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/kernel.html">Kernel Capabilities</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/dl-sf.html">Downloading it</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/run.html">Running it</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/compile.html">Compiling</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/install.html">Installation</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/skas.html">Skas Mode</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/patches.html">Incremental Patches</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/tests.html">Test Suite</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/devanon.html">Host memory use</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/fs_making.html">Building filesystems</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/faq.html">Troubles</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/contrib.html">User Contributions</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/links.html">Related Links</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/todo.html">The ToDo list</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/projects.html">Projects</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/diary.html">Diary</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/thanks.html">Thanks</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/contacts.html">Contacts</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Tutorials<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/UserModeLinux-HOWTO.html">The HOWTO (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/UserModeLinux-HOWTO.txt">The HOWTO (text)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/hostfs.html">Host file access</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/input.html">Device inputs</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/shared_fs.html">Sharing filesystems</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/fs.html">Creating filesystems</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/resize.html">Resizing filesystems</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/networking.html">Virtual Networking</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/mconsole.html">Management Console</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/debugging.html">Kernel Debugging</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/honeypots.html">UML Honeypots</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/gprof.html">gprof and gcov</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/xtut.html">Running X</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/trouble.html">Diagnosing problems</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/config.html">Configuration</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slack_readme.html">Installing Slackware</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/arch-port.html">Porting UML</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/iomem.html">IO memory emulation</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/2G-2G.html">UML on 2G/2G hosts</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/lksct/index.html">Adding a UML system call</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/nesting.html">Running nested UMLs</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">How you can help<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/help-gen.html">Overview</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/help-doc.html">Documentation</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/help-userspace.html">Utilities</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/help-kernel-v1.html">Kernel bugs</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/projects.html">Kernel projects</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Screenshots<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/net.html">A virtual network</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/x.html">An X session</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Transcripts<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/login.html">A login session</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/debug-session.html">A debugging session</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slackinst.html">Slackware installation</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Reference<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/switches.html">Kernel switches</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slack_readme.html">Slackware README</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Papers<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/als2000/index.html">ALS 2000 paper (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/als2000.tex">ALS 2000 paper (TeX)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/als2000/slides.html">ALS 2000 slides</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/lca2001/lca.html">LCA 2001 slides</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/ols2001/index.html">OLS 2001 paper (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/ols2001.tex">OLS 2001 paper (TeX)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/als2001/index.html">ALS 2001 paper (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/als2001.tex">ALS 2001 paper (TeX)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/ists2002/umlsec.htm">UML security (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/lca2002/lca2002.htm">LCA 2002 (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/wvu2002/wvu2002.htm">WVU 2002 (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/ists_rt/ists_rt.htm">Security Roundtable (html)</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/ols2002/ols2002.html">OLS 2002 slides</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/slides/lwe2005/LWE2005.html">LWE 2005 slides</a></font>
</td></tr>
<tr align="left"><td valign="top" bgcolor="#e0e0e0">Fun and Games<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/cgi-bin/hangman">Kernel Hangman</a></font>
<br>
<font size="-1"><a href="http://user-mode-linux.sourceforge.net/sdotm.html">Disaster of the Month</a></font>
</td></tr>
</table>
</td>
<td valign="top" align="left">
<center>
<h3>CPIT Case Study Cont'd</h3>
</center>
Building such a network, involving such subnetting is quite complex.
I have therefore written some shell scripts to build the network
almost automatically. The complexity of the scripts is such that it
would have been easier to implement them using awk or perl or such
like but currently they are in plain bash syntax. They have been
rapidly prepared so are far from elegant, but being in plain bash
syntax has the advantage that more people are likely to understand
them. The scripts are quite flexible - any values for the subnet
x.y.z can be given as a parameter (though the current script is fixed
for a sub(sub)net mask of 225.255.255.240).
<br>
<i>[ The scripts below are available in a tarball
<a href="examples/cpit.tar">here</a> - jdike]</i>
<p>
Rather than going into long discussions of how the setup is
implemented I have instead carefully commented the scripts themselves
in explanation.
<p>
One of the most important things in the design is to decide on a
suitable directory structure including the permissions used in that
structure.
<pre>
/
|
----------+---------+-----------
|
home
|
----------+---------
|
uml
|
-----+-----+------------+------------+-----------+----- etc...
| | | |
umlfw224_225 uml16_17 uml16_18 uml32_33
</pre>
1. I have therefore created a user "uml" with a home directory /home/uml as the principal operator of the build scripts.
The arrangement chosen requires that ALL scripts and the root_fs MUST
be stored in this /home/uml directory. The cow files however are kept
in separate directories (one per virtual machine). This helps protect
them from other users.
<p>
2. Each virtual machine is allocated a user name and home directory
for its cow file. The home directory for the virtual machines is a
sub-directory of /home/uml. The names of the "virtual-machine-users"
(and thus their home directories) are of the form: umlnn_hh where nn
is the subnet they lie on and hh the host number on that subnet. For
example, the virtual host with IP=x.y.z.17 would have the directory
and user name of uml16_17 (the value 16 for the subnet comes from the
relevant address table for a /28 subnetted network like this).
The uml virtual firewall/router has the name/directory of umlfw224_225
(i.e. its IP=x.y.z.225).
<p>
3i. Three main scripts are run, one after the other in order to build
the network. It is important that all scripts are run from the
directory /home/uml (i.e. ~uml).
The scripts are called: umlcreatenet1, umlcreatenet2, and umlcreatenet3.
The way it is done presently, umlcreatenet1 must be run by user root
(it insmods ethertap and runs the many uml_router occurrences etc).
<br>
3ii. For security reasons user root does not run the second script
umlcreatenet2. It is run instead by user "uml". This second script
boots up the virtual machines themselves. After running this second
script all machines should be running in their own xterm ready for
final network configuration.
<br>
3iii. The third script "umlcreatenet3" (which must be run by user
root) sets up the route on the real host towards the virtual network.
<br>
3iv. At this stage the main components of the network are already in
place (ethertap and the uml_router daemons etc). All that remains is
to arrange the ifconfig up and route commands on the virtual hosts
themselves. That is not yet fully automatic. Instead I have created
two special scripts (one for the virtual router, and one for the other
virtual hosts). These scripts have been copied into the /root
directory of the small debian root_fs (by entering:
mount root_fs [host_mount_point] -o loop (followed by cp'ing the
scripts into /root).
The two virtual host network configuration scripts are called
umlvfw.conf and umlvhost.conf.
Running any one of these scripts, without supplying any parameters,
results in a brief, but hopefully helpful, usage message.
<p>
In practice their are several more scripts than those outlined in the
simple startup steps above. The umlcreatenet(1,2,3) scripts are
actually only "call-up" scripts - they call up the underlying scripts
that do the real work of configuration. The underlying scripts are
called (and they are run in the following order by the umlcreatenet
scripts): umlkillall, umlkillnet (these first two are simply there to
brutally "clean up" any previous uml occurrencies), umlhostsetup1,
umlvfs, umlvhost, umlhostsetup2.
<p>
The best way of understanding the whole thing is simply to read the scripts through in the correct order. They are individually quite simple really!!
<p>
Summary:
<br>
a. Create the user uml (home=/home/uml), and (with home subdirectories
in /home/uml) users: umlfw224_225, uml16_17, uml16,18, uml32_33,
uml32_34 etc...
<br>
b. Put every script and the root_fs in /home/uml (and check all the
permissions are okay).
<br>
c. Then run the following scripts (and always from pwd of /home/uml) in this order:
umlcreatenet1 (with the parameters required indicated as usage when run)
umlcreatenet2
umlcreatenet3
<br>
d. Login to the uml virtual machines (as root) and immediately run the network script:
./umlfw.conf (for the virtual router) or ./umlvhost.conf (for any of the other virtual machines).
<br>
Here then are the scripts themselves, and an appendix showing the
permissions that were assigned to each of them and their relevant
directories. Hopefully this stuff will save somebody the many many
tens of hours it took me to put it all together :-).
<p>
I. The umlcreatenet1 script:
<pre>
#!/bin/sh
#Program: umlcreatenet1
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# 1. This is the main script (part 1 of 3) for building the Virtual
#Network Laboratory semi-automatically.
# "umlcreatenet1 (as user root) creates a clean slate and sets up the
#host ethertap and uml_router daemons.
# 2. This script should be followed by running script
# ~uml/umlcreatenet2 (as user uml).
# 3. Finally the script ~uml/umlcreatenet3 should be run (as user root).
# 4. The only thing left to do after that it to run the conf scripts
# on the uml machines themselves to complete networking. Assuming a
# telnetd or sshd is present on the virtual machines it should then be
# possible to remotely log in to them.
# READ this script first to help you understand how the whole scheme works.
# It runs all the other scripts for you except for umlvfw.conf and for
# umlvhost.conf (which you run once the virtual machines have booted -
# refer to the related umlvfw and the umlvhost script for usage comments).
# I intend automating that last part later.
# If you have difficulty getting it to work smoothly, start by giving
# more access permissions to all relevant files and directories (and
# re-organise that later).
# IMPORTANT NOTES:
# NOTE 1: Run "./umlcreatenet1 subnet (e.g. 192.168.5)" as user root.
# All these scripts assume you want the (sub)subnet mask
# 255.255.255.240
# NOTE 2: root_fs MUST be placed in ~uml (i.e. uml home directory) for the
# scripts to find it and its modes must be -rw-rw---- root uml
# All the scripts (e.g. umlkillall, umlkillnet, umlhostsetup1,
# umlvfw, umlvhost, umlhostsetup2 MUST also be kept in ~uml
# for this script to find them etc) and all permissions must
# be carefully set up to allow user uml to access them.
# NOTE 3: Make sure you have previously created the uml user(s) along
# with their associated home directories.
# And that you have setup the the main text described permissions and
# groups etc.
# Each virtual machine must have its own directory created in
# ~uml. For example, vhost 192.165.5.17 in my set up has home
# directory /home/uml/uml16_17
# (You can use the -G and -b options of useradd for doing this kind of
# stuff) - in practice it is best to write an automating script for
# adding the uml users.
# The 16_17 stands for sub(subnet) 16 and host id 17. i.e. the number
# 16 usefully tells you which sub(subnet) this particular host is on
# (i.e. subnet 192.168.5.16/28).
cpitsubnet="$1"
case "$cpitsubnet" in
"") echo
echo 'usage: ./umlcreatenet1 subnet(e.g. 192.168.5)'
exit 1
;;
*) ;;
esac
#MAKE SURE you are root user before running this script for the following to work...
# Have a look at the internals of all the following scripts to see
# what they actually do...
cd ~uml
# Get rid off any old uml linux processes and network daemons.
# i.e. clean start:
./umlkillall
./umlkillnet
# Set up ethertap and the uml_router daemons on the host computer:
./umlhostsetup1 238 "$cpitsubnet"
</pre>
II. The umlcreatenet2 script:
<pre>
# Program: umlcreatenet2
#This is the second part of the startup script.
#NOTE WELL: It should be run as user uml.
#Boots up all the virtual machines starting with the firewall router
cd ~uml
cpitsubnet="$1"
case "$cpitsubnet" in
"") echo
echo 'usage: ./umlcreatenet2 subnet(e.g. 192.168.5)'
exit 1
;;
*) ;;
esac
./umlvfw 225 238 0 "$cpitsubnet"
./umlvhost 17
./umlvhost 18
./umlvhost 33
./umlvhost 34
./umlvhost 49
./umlvhost 50
./umlvhost 65
./umlvhost 66
./umlvhost 81
./umlvhost 82
./umlvhost 97
./umlvhost 98
./umlvhost 113
./umlvhost 114
./umlvhost 129
./umlvhost 130
./umlvhost 145
./umlvhost 146
./umlvhost 161
./umlvhost 162
</pre>
III. The umlcreatenet3 script:
<pre>
# Program: umlcreatenet3
#This is the third and final part of the startup script.
#NOTE WELL: It MUST be run as user root.
# Set up the final route from the host computer to the virtual network.
# Make sure you are in directory ~uml (where all these uml scripts are
# located):
cd ~uml
cpitsubnet="$1"
case "$cpitsubnet" in
"") echo
echo 'usage: ./umlcreatenet3 subnet(e.g. 192.168.5)'
exit 1
;;
*) ;;
esac
./umlhostsetup2 "$cpitsubnet"
# Should all be up now. Now you just need to run "umlvhost.conf on each
# booted uml host (and umlvfw.conf on the virtual firewall router).
</pre>
IV. The rough and brutal umlkillall script:
<pre>
# This is just an inelegant quick fix for killing off all the virtual machines
# It assumes "linux" is name of the uml process.
# I generally run this script as the first thing before building the
# virtual net (as user root).
# It, followed by running "umlkillnet", (as user root) cleans
# everything up before beginning the main virtual hosts build.
# I also tend to rm all the cow files before rebuilding the vnet.
# usage: ~uml/umlkillall
# NOTE: Instead of running this script individually it can be called
# by the script "~uml/umlcreatenet1"
# whose purpose is to call up all the other scripts as well. View
# umlcreatenet1 (2 and 3) for details.
kill -9 `ps aux | grep linux | cut -c10-14`
rm -rf /tmp/uml/*
</pre>
V. The equally rough umlkillnet script:
<pre>
# Just an inelegant quick fix for killing off all uml_router daemons
# and ethertaps ready for a clean start
# usage: ~uml/umlkillnet
# NOTE: Instead of running this script individually it can be called
# by the script "~uml/umlcreatenet1"
# whose purpose is to call up all the other scripts as well. View
# umlcreatenet1 (2 and 3) for details.
kill -9 `ps aux | grep uml_router | cut -c10-14`
rm -f 14*
ifconfig tap0 down
rmmod ethertap
rmmod ethertap0
</pre>
VI. The similarly awful umlkillxterm script:
<pre>
#Just an inelegant quick way to kill all xterms/vconsoles if you ever
#want to...
#usage: ~uml/umlkillxterm
kill -9 `ps aux | grep xterm | cut -c10-14`
</pre>
VII. The umlhostsetup1 script:
<pre>
#!/bin/sh
#Program: umlhostsetup1
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# This script sets up the host computer.
# Run it (as user root) just after the "clean up scripts" (i.e
# umlkillall followed by umlkillnet).
# NOTE: Instead of running this script individually it can be called
# by the script ~uml/umlcreatenet1
# whose purpose is to call up all the other scripts as well. View
# umlcreatenet1 (2 and 3) for details.
tap0ip="$1" # or in this example case could simply use: tap0ip="238"
# (since that is what it is here!)
case "$1" in
238) ;; # Could modify script to increase acceptable tap
# values: e.g. 23[1-8])
*) echo
echo 'usage: ./umlhostsetup1 tapip(e.g. 238) \
subnet(e.g. 192.168.5)'
exit 1
;;
esac
cpitsubnet="$2" # or could use: cpitsubnet="x.y.z"
tap0mac="10:0:0:0:0:2" # or could use: tap0mac=$3
# (or whatever MAC address you want for tap0)
#Just in case they need done:
mknod /dev/tap0 c 36 16
insmod ethertap #making tap0
#Bring tap0 up on host:
ifconfig tap0 hw ether "$tap0mac" arp mtu 1484 ${cpitsubnet}.${tap0ip} \
netmask 255.255.255.240 broadcast ${cpitsubnet}.239
#Create all the subnet "switches" (daemons):
uml_router -unix 14003 14004 &
uml_router -unix 14005 14006 &
uml_router -unix 14007 14008 &
uml_router -unix 14009 14010 &
uml_router -unix 14011 14012 &
uml_router -unix 14013 14014 &
uml_router -unix 14015 14016 &
uml_router -unix 14017 14018 &
uml_router -unix 14019 14020 &
uml_router -unix 14021 14022 &
uml_router -unix 14023 14024 &
uml_router -unix 14025 14026 &
uml_router -unix 14027 14028 &
uml_router -unix 14029 14030 &
#Give a wee bit time to assure uml_router daemon sockets are ready:
sleep 1
#Make sure the uml virtual hosts can access the uml_router daemon(s) sockets
chgrp uml 14*
chmod 770 14*
</pre>
VIII. The umlvfw (virtual router/firewall machine) script:
<pre>
#!/bin/sh
#Program: umlvfw
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# This script sets up the virtual machine being used as a router (firewall)
# between the host computer and the rest of the virtual machines.
# In this Case Study this one virtual router connects via ethertap
# (its eth0 IP=225) to the host computer (IP=238).
# The other nine interfaces on this virtual router connect to the other
# virtual machines - two such on each network segment.
# It is planned to set up a filtering firewall on this virtual router in
# order to help sandbox remote users inside the virtual network laboratory.
# "umlvfw" should be run as user uml (not as user root).
# Run it after running umlkillall, umlkillnet and umlhostsetup1 or as part
# of the general startup scripts (~uml/umlcreatenet1,2,3)
# that comes after these.
# NOTE: Instead of running this script individually it can be called
# by the script "~uml/umlcreatenet2" whose purpose is to call up all
# the other scripts as well. View umlcreatenet2 for details.
# (This virtual router is later connected to the uml_router daemon segments
# using the associated script: "umlvfw.conf".
# Note: I previously copy umlvhost.conf onto the root_fs (debian small),
# into the directory /root using:
# mount root_fs [host_dir_mountpoint] -o loop and then using cp.
# "umlvfw.conf is set up to connect to the uml_router daemons using:
# IP addresses 30,46,62,78,94,110,126,142,158,174.
# These are the highest host numbers for each of the segments on
# a 255.255.255.240 subnetted IP address).
# Also, once (and only once) the virtual machine has booted up,
# login as root and run the associated virtual machine configuration
# script "umlvfw.conf" by
# entering: ./umlvfw.conf 225 238 0
umask 006 #So that the cow files are created with the correct permissions
case "$1" in
22[5-9]|23[0-7]) subsubnet=224;;
*) echo
echo 'usage: ./umlvfw ip_address_last_octet(e.g. 225)
\
tapip(e.g. 238)'
echo ' tapnum(e.g. 0) subnet(e.g. 192.168.5)'
exit 1
;;
esac
mainip="$1" # or could use: mainip=225 (= other end of tap)
tapip="$2" # or could use: tapip=238
tapnum="$3" # e.g. tapnum=0 (makes it tap0 below)
cpitsubnet="$4" # or could use: cpitsubnet="x.y.z"
umlswitch1="14003,14004"
umlswitch2="14005,14006"
umlswitch3="14007,14008"
umlswitch4="14009,14010"
umlswitch5="14011,14012"
umlswitch6="14013,14014"
umlswitch7="14015,14016"
umlswitch8="14017,14018"
umlswitch9="14019,14020"
umlswitch10="14021,14022"
umlswitch11="14023,14024"
umlswitch12="14025,14026"
umlswitch13="14027,14028"
umlswitch14="14029,14030"
# Start up uml linux as a daemon (nohup) with one xterm to do the final
# network configuration; using umlvfw.conf (as described in that script):
cow_locat=~uml/umlfw${subsubnet}_${mainip}/cowfw${subsubnet}_${mainip}
nohup linux umid=${mainip} ubd0=${cow_locat},root_fs \
eth0=ethertap,"tap${tapnum}",,${cpitsubnet}.${tapip} \
eth1=daemon,,unix,${umlswitch1} eth2=daemon,,unix,${umlswitch2} \
eth3=daemon,,unix,${umlswitch3} eth4=daemon,,unix,${umlswitch4} \
eth5=daemon,,unix,${umlswitch5} eth6=daemon,,unix,${umlswitch6} \
eth7=daemon,,unix,${umlswitch7} eth8=daemon,,unix,${umlswitch8} \
eth9=daemon,,unix,${umlswitch9} eth10=daemon,,unix,${umlswitch10} \
eth11=daemon,,unix,${umlswitch11} eth12=daemon,,unix,${umlswitch12} \
eth13=daemon,,unix,${umlswitch13} eth14=daemon,,unix,${umlswitch14} \
ssl=pty con=pty con0=xterm &
umask 022 #returning umask to original values on my host
</pre>
IX. The umlvhost (every other virtual machine) script:
<pre>
#!/bin/sh
#Program: umlvhost
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# This script sets up a single virtual machine on
# the network segment relevant to its ip address (e.g ip 17,18...33,34...etc).
# It should be run as user uml (not as user root).
# Run it after running umlkillall, umlkillnet and umlhostsetup1 or
# as part of a general script (umlcreatenet1,2,3)that comes after these.
# NOTE: Instead of running this script individually it can be called by
# the script "~uml/umlcreatenet2" whose purpose is to call up all
# the other scripts as well. View umlcreatenet2 for details.
# (It is later connected to the uml_router daemon segments using
# the associated script: "umlvhost.conf".
# Note: I previously copy umlvhost.conf onto the root_fs (debian small),
# into the directory /root using:
# mount root_fs [host_dir_mountpoint] -o loop and then using cp).
# Also, once (and only once) the virtual machine has booted up,
# login as root and run the script "umlhost.conf" by entering,
# for example: ./umlvhost.conf 17
# Repeat the above for the other (non-firewall) virtual machines
# (using different IPs!).
# (Later I hope to make this networking more automatic..:-).
umask 006 #So that the cow files are created with the correct permissions
mainip="$1"
#Arrange for the host IP to end up on the correct uml_router daemon subnet:
case "$mainip" in
[1-9]|1[0-4]) subsubnet=0 ; umlswitch="14001,14002" ;;
1[7-9]|2[0-9]|30) subsubnet=16 ; umlswitch="14003,14004" ;;
3[3-9]|4[0-6]) subsubnet=32 ; umlswitch="14005,14006" ;;
49|5[0-9]|6[0-2]) subsubnet=48 ; umlswitch="14007,14008" ;;
6[5-9]|7[0-8]) subsubnet=64 ; umlswitch="14009,14010" ;;
8[1-9]|9[1-4]) subsubnet=80 ; umlswitch="14011,14012" ;;
9[7-9]|10[0-9]|110) subsubnet=96 ; umlswitch="14013,14014" ;;
11[3-9]|12[0-6]) subsubnet=112 ; umlswitch="14015,14016" ;;
129|13[0-9]|14[1-2]) subsubnet=128 ; umlswitch="14017,14018" ;;
14[5-9]|15[0-8]) subsubnet=144 ; umlswitch="14019,14020" ;;
16[1-9]|17[0-4]) subsubnet=160 ; umlswitch="14021,14022" ;;
17[7-9]|18[0-9]|190) subsubnet=176 ; umlswitch="14023,14024" ;;
19[3-9]|20[0-6]) subsubnet=192 ; umlswitch="14025,14026" ;;
209|21[0-9]|22[0-2]) subsubnet=208 ; umlswitch="14027,14028" ;;
# 22[5-9]|23[0-8]) subsubnet=224 ; umlswitch="14029,14030" ;;
24[1-9]|25[0-4]) subsubnet=240 ; umlswitch="14031,14032" ;;
*) echo
echo 'invalid ip_octet'
echo 'usage: ./umlvhost dotted_dec_ip_address_last_octet(e.g. 17)'
exit 1
;;
esac
# Start up uml linux as a daemon (nohup) with one xterm to do the
# final network configuration; using umlvhost.conf (as described in
# that script):
cow_locat=~uml/uml${subsubnet}_${mainip}/cow${subsubnet}_${mainip}
nohup linux umid=uml${mainip} ubd0=${cow_locat},root_fs \
eth0=daemon,,unix,${umlswitch} ssl=pty con=pty con0=xterm &
umask 022 #returning umask to original values on my host
</pre>
X. The virtual router/firewall network configuration script (umlvfw.conf):
<pre>
#!/bin/sh
#Program: umlvfw.conf
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# This script is used to finally connect the virtual router (firewall)
# to the virtual network.
# It is run from the virtual machine itself after it is first booted
# as root user.
# I plan to automate this better later.
# I store this script in the /root directory of the debian small
# root_fs used in the experiment.
# I similarly store one copy of the script umlvhost.conf in the same place.
# I get them there using the command:
# mount root_fs /some_host_mount_point -o loop
# followed by cp them from the host computer.
# In the current setup $1 should be entered on the
# commandline as 225 (= the virtual machine end of tap0):
case "$1" in
22[5-9]|23[0-7]) ;;
*) echo
echo 'usage: umlhost ip_address_last_octet(e.g. 225) \
tapip(e.g. 238) subnet(e.g. 192.168.5'
exit 1
;;
esac
mainip="$1" # e.g. mainip=225 (= other end of tap).
tapip="$2" # or could use: tapip=238 (= host computer tap0 IP address).
cpitsubnet="$3" # or could make: cpitsubnet="x.y.z"
# Configure the ethertap connection from eth0 to tap:
ifconfig eth0 ${cpitsubnet}.${mainip} netmask 255.255.255.240
broadcast ${cpitsubnet}.239 up
# Configure the virtual router connections to the uml_router daemon sockets:
ifconfig eth1 ${cpitsubnet}.30 netmask 255.255.255.240 broadcast \
${cpitsubnet}.31 up
ifconfig eth2 ${cpitsubnet}.46 netmask 255.255.255.240 broadcast \
${cpitsubnet}.47 up
ifconfig eth3 ${cpitsubnet}.62 netmask 255.255.255.240 broadcast \
${cpitsubnet}.63 up
ifconfig eth4 ${cpitsubnet}.78 netmask 255.255.255.240 broadcast \
${cpitsubnet}.79 up
ifconfig eth5 ${cpitsubnet}.94 netmask 255.255.255.240 broadcast \
${cpitsubnet}.95 up
ifconfig eth6 ${cpitsubnet}.110 netmask 255.255.255.240 broadcast \
${cpitsubnet}.111 up
ifconfig eth7 ${cpitsubnet}.126 netmask 255.255.255.240 broadcast \
${cpitsubnet}.127 up
ifconfig eth8 ${cpitsubnet}.142 netmask 255.255.255.240 broadcast \
${cpitsubnet}.143 up
ifconfig eth9 ${cpitsubnet}.158 netmask 255.255.255.240 broadcast \
${cpitsubnet}.159 up
ifconfig eth10 ${cpitsubnet}.174 netmask 255.255.255.240 broadcast \
${cpitsubnet}.175 up
# On the virtual router machine: add default route (gw = host tap0)
and turn on forwarding:
route add default gw ${cpitsubnet}.${tapip}
echo 1 > /proc/sys/net/ipv4/ip_forward
</pre>
XI. The network configuration script for all the other virtual hosts
(umlvhost.conf):
<pre>
#!/bin/sh
#Program: umlvhost.conf
#Licence: GPL
#Author: William McEwan
#Date: 6 Sep 2001
# This script is used to finally connect the virtual machines to the
# virtual network.
# It is run from the virtual machine itself after it is first booted
# as root user.
# I plan to automate this better later.
# I store this script in the /root directory of the debian small
# root_fs used in the experiment.
# I similarly store one copy of the script umlvfw.conf in the same place.
# I get them there using the command:
# mount root_fs /some_host_mount_point -o loop
# followed by cp them from the host computer.
cpitsubnet="$2" # or could use: cpitsubnet="x.y.z"
mainip="$1"
#Arrange for the host IP to end up on the correct uml_router daemon subnet:
case "$mainip" in
[1-9]|1[0-4]) gwip=14 ; bcastip=15 ;;
1[7-9]|2[0-9]|30) gwip=30 ; bcastip=31 ;;
3[3-9]|4[0-6]) gwip=46 ; bcastip=47 ;;
49|5[0-9]|6[0-2]) gwip=62 ; bcastip=63 ;;
6[5-9]|7[0-8]) gwip=78 ; bcastip=79 ;;
8[1-9]|9[1-4]) gwip=94 ; bcastip=95 ;;
9[7-9]|10[0-9]|110) gwip=110 ; bcastip=111 ;;
11[3-9]|12[0-6]) gwip=126 ; bcastip=127 ;;
129|13[0-9]|14[1-2]) gwip=142 ; bcastip=143 ;;
14[5-9]|15[0-8]) gwip=158 ; bcastip=159 ;;
16[1-9]|17[0-4]) gwip=174 ; bcastip=175 ;;
17[7-9]|18[0-9]|190) gwip=190 ; bcastip=191 ;;
19[3-9]|20[0-6]) gwip=206 ; bcastip=207 ;;
209|21[0-9]|22[0-2]) gwip=222 ; bcastip=223 ;;
22[5-9]|23[0-8]) gwip=238 ; bcastip=239 ;;
24[1-9]|25[0-4]) gwip=254 ; bcastip=255 ;;
*) echo
echo 'invalid ip_octet'
echo 'usage: ./umlvhost.conf ip_octet(e.g. 17) \
subnet(e.g.192.168.5)'
exit 1
;;
esac
# Configure the virtual machine eth0:
ifconfig eth0 ${cpitsubnet}.${mainip} netmask 255.255.255.240
broadcast \
${cpitsubnet}.${bcastip} up
# Add a route on the virtual machine back towards the host computer
# via the uml virtual firewall:
route add default gw ${cpitsubnet}.${gwip}
</pre>
XII. Appendix A: The permissions on the files and directories etc.:
<pre>
drwxr-xr-x 4 root root 4096 Sep 8 20:36 home
Inside /home:
drwxr-x--- 31 uml uml 4096 Sep 8 20:35 uml
Inside /home/uml:
#the uml_router unix sockets
srwxrwx--- 1 root uml 0 Sep 8 20:25 14003
srwxrwx--- 1 root uml 0 Sep 8 20:25 14004
srwxrwx--- 1 root uml 0 Sep 8 20:25 14005
srwxrwx--- 1 root uml 0 Sep 8 20:25 14006
...etc...
#the debian root filesystem
-rw-rw---- 1 root uml 104857600 Sep 8 19:05 root_fs
# uml virt. mach. IP=17
drwxrwx--- 10 uml16_17 uml 4096 Sep 8 20:00 uml16_17
drwxrwx--- 5 uml16_18 uml 4096 Sep 7 02:57 uml16_18
drwxrwx--- 5 uml32_33 uml 4096 Sep 8 20:00 uml32_33
drwxrwx--- 4 uml32_34 uml 4096 Sep 7 02:57 uml32_34
drwxrwx--- 4 uml48_49 uml 4096 Sep 8 18:17 uml48_49
drwxrwx--- 4 uml48_50 uml 4096 Sep 8 18:17 uml48_50
# uml virt. router
drwxrwx--- 10 umlfw224 uml 4096 Sep 8 20:00 umlfw224_225
...etc...
#first run script
-r-x------ 1 root root 2993 Sep 8 18:25 umlcreatenet1
-r-xr-x--- 1 root uml 666 Sep 8 17:52 umlcreatenet2
-r-x------ 1 root root 591 Sep 8 18:27 umlcreatenet3
#sets up real host
-rwx------ 1 root root 1781 Sep 8 18:33 umlhostsetup1
-rwx------ 1 root root 643 Sep 8 15:45 umlhostsetup2
#wipes all uml processes
-rwx------ 1 root root 716 Sep 8 20:09 umlkillall
#wipes the uml_routers etc
-rwx------ 1 root root 455 Sep 8 18:33 umlkillnet
-rwx------ 1 root root 153 Sep 8 18:33 umlkillxterm
#sets up the virtual router
-r-xr-x--- 1 root uml 3484 Sep 8 20:33 umlvfw
#and its networking
-r-x------ 1 root root 2320 Sep 8 18:50 umlvfw.conf
#sets up other virt. machines
-r-xr-x--- 1 root uml 2921 Sep 8 20:34 umlvhost
#and their networking
-r-x------ 1 root root 1893 Sep 8 15:37 umlvhost.conf
Inside /home/uml/uml16_17:
#the cows are stored separately - gives better access control.
#This works though it isn't what I intended...:-\
-rw-r----- 1 uml uml 100731392 Sep 8 20:32 cow16_17
Inside: /home/uml/umlfw224_225:
-rw-r----- 1 uml uml 100704768 Sep 8 20:32 cowfw224_225
...etc...
</pre>
XIII. For a 192.168.5.0 network with a subnet mask: 255.255.255.240
<pre>
Network Host range Broadcast
From To address
192.168.5.0 192.168.5.1 192.168.5.14 192.168.5.15
192.168.5.16 192.168.5.17 192.168.5.30 192.168.5.31
192.168.5.32 192.168.5.33 192.168.5.46 192.168.5.47
192.168.5.48 192.168.5.49 192.168.5.62 192.168.5.63
192.168.5.64 192.168.5.65 192.168.5.78 192.168.5.79
192.168.5.80 192.168.5.81 192.168.5.94 192.168.5.95
192.168.5.96 192.168.5.97 192.168.5.110 192.168.5.111
192.168.5.112 192.168.5.113 192.168.5.126 192.168.5.127
192.168.5.128 192.168.5.129 192.168.5.142 192.168.5.143
192.168.5.144 192.168.5.145 192.168.5.158 192.168.5.159
192.168.5.160 192.168.5.161 192.168.5.174 192.168.5.175
192.168.5.176 192.168.5.177 192.168.5.190 192.168.5.207
192.168.5.208 192.168.5.209 192.168.5.222 192.168.5.223
192.168.5.224 192.168.5.225 192.168.5.238 192.168.5.239
192.168.5.240 192.168.5.241 192.168.5.254 192.168.5.255
</pre>
</td>
</tr>
</table>
<center>
<font size="-1">Hosted at </font>
<a href="http://sourceforge.net">
<img src="http://sourceforge.net/sflogo.php?group_id=429" width="88" height="31" border="0" alt="SourceForge Logo">
</a>
</center>
</body>
</html>
|