zeus 4 years ago
parent
commit
812b9570c0
  1. 181
      labs/sec/ex-5_iptables.adoc
  2. 174
      labs/sec/ex-5_iptables.adoc.html
  3. 1894
      labs/sec/ex-5_iptables.adoc.pdf

181
labs/sec/ex-5_iptables.adoc

@ -57,53 +57,48 @@ https://en.wikipedia.org/wiki/OpenVPN[More: wikipedia]
[source,bash] [source,bash]
---- ----
#!/bin/bash #!/bin/bash
IP=192.168.89.5 # Server IP IP=127.0.0.1 # Server IP
P=1194 # Server Port P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network OVPN_SERVER='10.80.0.0/16' # VPN Network
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container docker stop $NAME #stop container
sleep 3 sleep 1
docker container rm $NAME #rm container docker container rm $NAME #rm container
# rm config files # rm config files
sudo rm -f $vpn_data/openvpn.conf.*.bak rm -f $vpn_data/openvpn.conf.*.bak
sudo rm -f $vpn_data/openvpn.conf rm -f $vpn_data/openvpn.conf
sudo rm -f $vpn_data/ovpn_env.sh.*.bak rm -f $vpn_data/ovpn_env.sh.*.bak
sudo rm -f $vpn_data/ovpn_env.sh rm -f $vpn_data/ovpn_env.sh
# create network # create network
sleep 2 sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
read -d '' MULTILINE_EXTRA_SERVER_CONF << EOF #run container see ovpn_genconfig
duplicate-cn docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
max-clients 35000
topology subnet
EOF
#run container
sleep 3
docker run --net=none -it -v $vpn_data:/etc/openvpn --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER -N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki see ovpn_initpki
# create pki
sleep 3
echo "new pki is disabled"
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
#sleep 3 # see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files #docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn #create vpn see --cap-add=NET_ADMIN
sleep 3 sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sleep 5
sudo sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.ipv4.ip_forward=1
#show created #show created
@ -113,122 +108,58 @@ docker ps
== Create user == Create user
.config .create-user.sh
[source,bash] [source,bash]
---- ----
#!/bin/bash USERNAME=test1
IP=83.212.114.14 vpn_data=$PWD/openvpn-services/
P=5194
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
NAME=swarmlab-vpn-services
DOCKERnetwork=swarmlab-vpn-services-network
docker=registry.vlabs.uniwa.gr:5080/myownvpn docker=registry.vlabs.uniwa.gr:5080/myownvpn
PATHNAME=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
vpn_data_user_config=$PATHNAME
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
vpn_data_user_config=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
NAME=swarmlab-vpn-services
MANAGER=/var/lib/swarmlab/openvpn/etc/managers
WORKER=/var/lib/swarmlab/openvpn/etc/workers
MANAGERkeys=/var/lib/swarmlab/openvpn/etc/managers_keys
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME > $USERNAME.ovpn
---- ----
.create-user.sh
[source,bash] [source,bash]
.add to $USERNAME.ovpn file
---- ----
#!/bin/bash client
nobind
. ./config dev tun
comp-lzo
sudo mkdir -p $vpn_data resolv-retry infinite
sudo mkdir -p $vpn_data_user_config keepalive 15 60
sudo mkdir -p $MANAGERkeys
remote-cert-tls server
docker=registry.vlabs.uniwa.gr:5080/myownvpn remote 192.168.1.5 1194 udp
echo $vpnip
echo $#
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
if [ $# -eq 1 ]; then
CLIENTNAME=$1
U=$CLIENTNAME
mkdir users
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $CLIENTNAME nopass
sleep 3
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $CLIENTNAME > users/$CLIENTNAME.ovpn
file="users/$CLIENTNAME.ovpn"
ps='remote '
pi="remote $IP $P udp"
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "5a $pi" $file
ps='comp-lzo'
pi='comp-lzo no'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "6a $pi" $file
ps='resolv-retry'
pi='resolv-retry infinite'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "7a $pi" $file
ps='persist-key'
pi='persist-key'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "8a $pi" $file
ps='persist-tun'
pi='persist-tun'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "9a $pi" $file
ps='keepalive'
pi='keepalive 15 60'
grep -q "^$ps" $file && sed -i "s/^$ps.*/$pi/" $file || sed -i "10a $pi" $file
else
echo "no clientname"
fi
---- ----
== rm vpn user == rm vpn user
.rm-user.sh .rm-user.sh
[source,bash] [source,bash]
---- ----
#!/bin/bash #!/bin/bash
. ./config
CLIENTNAME=$1 CLIENTNAME=test1
U=$CLIENTNAME U=$CLIENTNAME
if [ $# -eq 1 ]; then vpn_data=$PWD/openvpn-services/
sudo rm -f $vpn_data/pki/reqs/$CLIENTNAME.req docker=registry.vlabs.uniwa.gr:5080/myownvpn
sudo rm -f $vpn_data/pki/private/$CLIENTNAME.key
sudo rm -f $vpn_data/pki/issued/$CLIENTNAME.crt rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
sudo rm -f $vpn_data/server/ccd/$CLIENTNAME rm -f $vpn_data/pki/private/$CLIENTNAME.key
sudo rm -f $vpn_data/ccd/$CLIENTNAME rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4) rm -f $vpn_data/server/ccd/$CLIENTNAME
#/var/lab/gswarm/vpn-data/pki/certs_by_serial/BACA61827E65D0E5F695245519410952.pem rm -f $vpn_data/ccd/$CLIENTNAME
sudo rm -f $vpn_data/pki/certs_by_serial/$pem.pem pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
sudo sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem rm -f $vpn_data/pki/certs_by_serial/$pem.pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
sudo rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
sudo rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
else
echo "no client"
fi
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn
---- ----
== show all vpn users == show all vpn users
@ -236,8 +167,7 @@ fi
.show-user.sh .show-user.sh
[source,bash] [source,bash]
---- ----
. ./config NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients docker exec -it $NAME ovpn_listclients
---- ----
@ -246,8 +176,7 @@ docker exec -it $NAME ovpn_listclients
.show-conn-user.sh .show-conn-user.sh
[source,bash] [source,bash]
---- ----
. ./config NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log docker exec -it $NAME cat /tmp/openvpn-status.log
---- ----

174
labs/sec/ex-5_iptables.adoc.html

@ -531,53 +531,48 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
<div class="title">create-vpn.sh</div> <div class="title">create-vpn.sh</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash <pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
IP=192.168.89.5 # Server IP IP=127.0.0.1 # Server IP
P=1194 # Server Port P=1194 # Server Port
OVPN_SERVER='10.80.0.0/16' # VPN Network OVPN_SERVER='10.80.0.0/16' # VPN Network
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
#vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/ # Dir to save data ** this must exist **
vpn_data=$PWD/openvpn-services/
if [ ! -d $vpn_data ]; then
mkdir -p $vpn_data
fi
NAME=swarmlab-vpn-services # name of docker service NAME=swarmlab-vpn-services # name of docker service
DOCKERnetwork=swarmlab-vpn-services-network # docker network DOCKERnetwork=swarmlab-vpn-services-network # docker network
docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image docker=registry.vlabs.uniwa.gr:5080/myownvpn # docker image
docker stop $NAME #stop container docker stop $NAME #stop container
sleep 3 sleep 1
docker container rm $NAME #rm container docker container rm $NAME #rm container
# rm config files # rm config files
sudo rm -f $vpn_data/openvpn.conf.*.bak rm -f $vpn_data/openvpn.conf.*.bak
sudo rm -f $vpn_data/openvpn.conf rm -f $vpn_data/openvpn.conf
sudo rm -f $vpn_data/ovpn_env.sh.*.bak rm -f $vpn_data/ovpn_env.sh.*.bak
sudo rm -f $vpn_data/ovpn_env.sh rm -f $vpn_data/ovpn_env.sh
# create network # create network
sleep 2 sleep 1
docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork docker network create --attachable=true --driver=bridge --subnet=172.50.0.0/16 --gateway=172.50.0.1 $DOCKERnetwork
read -d '' MULTILINE_EXTRA_SERVER_CONF &lt;&lt; EOF #run container see ovpn_genconfig
duplicate-cn docker run --net=none -it -v $vpn_data:/etc/openvpn -p 1194:1194 --rm $docker ovpn_genconfig -u udp://$IP:1194 \
max-clients 35000
topology subnet
EOF
#run container
sleep 3
docker run --net=none -it -v $vpn_data:/etc/openvpn --rm $docker ovpn_genconfig -u udp://$IP:1194 \
-N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER -N -d -c -p "route 172.50.20.0 255.255.255.0" -e "topology subnet" -s $OVPN_SERVER
# create pki see ovpn_initpki
# create pki
sleep 3
echo "new pki is disabled"
docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki docker run --net=none -v $vpn_data:/etc/openvpn --rm -it $docker ovpn_initpki
#sleep 3 # see ovpn_copy_server_files
#docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files #docker run --net=none -v $vpn_data:/etc/openvpn --rm $docker ovpn_copy_server_files
#create vpn #create vpn see --cap-add=NET_ADMIN
sleep 3 sleep 1
docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker docker run --detach --name $NAME -v $vpn_data:/etc/openvpn --net=$DOCKERnetwork --ip=172.50.0.2 -p $P:1194/udp --cap-add=NET_ADMIN $docker
sleep 5
sudo sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.ipv4.ip_forward=1
#show created #show created
@ -590,84 +585,28 @@ docker ps</code></pre>
<h2 id="_create_user">4. Create user</h2> <h2 id="_create_user">4. Create user</h2>
<div class="sectionbody"> <div class="sectionbody">
<div class="listingblock"> <div class="listingblock">
<div class="title">config</div> <div class="title">create-user.sh</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash <pre class="highlight"><code class="language-bash" data-lang="bash">USERNAME=test1
IP=83.212.114.14 vpn_data=$PWD/openvpn-services/
P=5194
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
NAME=swarmlab-vpn-services
DOCKERnetwork=swarmlab-vpn-services-network
docker=registry.vlabs.uniwa.gr:5080/myownvpn docker=registry.vlabs.uniwa.gr:5080/myownvpn
PATHNAME=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
vpn_data_user_config=$PATHNAME
vpn_data=/var/lib/swarmlab/openvpn/openvpn-services/
vpn_data_user_config=/var/lib/swarmlab/openvpn/etc/vpn-data_user_config
NAME=swarmlab-vpn-services
MANAGER=/var/lib/swarmlab/openvpn/etc/managers docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $USERNAME nopass
WORKER=/var/lib/swarmlab/openvpn/etc/workers docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $USERNAME &gt; $USERNAME.ovpn</code></pre>
MANAGERkeys=/var/lib/swarmlab/openvpn/etc/managers_keys</code></pre>
</div> </div>
</div> </div>
<div class="listingblock"> <div class="listingblock">
<div class="title">create-user.sh</div> <div class="title">add to $USERNAME.ovpn file</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash <pre class="highlight"><code class="language-bash" data-lang="bash">client
nobind
. ./config dev tun
comp-lzo
sudo mkdir -p $vpn_data resolv-retry infinite
sudo mkdir -p $vpn_data_user_config keepalive 15 60
sudo mkdir -p $MANAGERkeys
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
docker=registry.vlabs.uniwa.gr:5080/myownvpn
echo $vpnip
echo $#
if [ $# -eq 1 ]; then
CLIENTNAME=$1
U=$CLIENTNAME
mkdir users
docker run -v $vpn_data:/etc/openvpn --rm -it $docker easyrsa build-client-full $CLIENTNAME nopass
sleep 3
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm $docker ovpn_getclient $CLIENTNAME &gt; users/$CLIENTNAME.ovpn
file="users/$CLIENTNAME.ovpn"
ps='remote '
pi="remote $IP $P udp"
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "5a $pi" $file
ps='comp-lzo'
pi='comp-lzo no'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "6a $pi" $file
ps='resolv-retry'
pi='resolv-retry infinite'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "7a $pi" $file
ps='persist-key'
pi='persist-key'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "8a $pi" $file
ps='persist-tun'
pi='persist-tun'
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "9a $pi" $file
ps='keepalive' remote-cert-tls server
pi='keepalive 15 60' remote 192.168.1.5 1194 udp</code></pre>
grep -q "^$ps" $file &amp;&amp; sed -i "s/^$ps.*/$pi/" $file || sed -i "10a $pi" $file
else
echo "no clientname"
fi</code></pre>
</div> </div>
</div> </div>
</div> </div>
@ -679,30 +618,27 @@ fi</code></pre>
<div class="title">rm-user.sh</div> <div class="title">rm-user.sh</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash <pre class="highlight"><code class="language-bash" data-lang="bash">#!/bin/bash
. ./config
CLIENTNAME=$1 CLIENTNAME=test1
U=$CLIENTNAME U=$CLIENTNAME
if [ $# -eq 1 ]; then vpn_data=$PWD/openvpn-services/
sudo rm -f $vpn_data/pki/reqs/$CLIENTNAME.req docker=registry.vlabs.uniwa.gr:5080/myownvpn
sudo rm -f $vpn_data/pki/private/$CLIENTNAME.key
sudo rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
sudo rm -f $vpn_data/server/ccd/$CLIENTNAME
sudo rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
#/var/lab/gswarm/vpn-data/pki/certs_by_serial/BACA61827E65D0E5F695245519410952.pem
sudo rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sudo sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
echo $pem
docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
rm -f $vpn_data/pki/reqs/$CLIENTNAME.req
rm -f $vpn_data/pki/private/$CLIENTNAME.key
rm -f $vpn_data/pki/issued/$CLIENTNAME.crt
rm -f $vpn_data/server/ccd/$CLIENTNAME
rm -f $vpn_data/ccd/$CLIENTNAME
pem=$(sudo grep "CN=$U$" $vpn_data/pki/index.txt | cut -f4)
sudo rm -f $vpn_data_user_config/$CLIENTNAME.ovpn rm -f $vpn_data/pki/certs_by_serial/$pem.pem
sudo rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn sed -i "/CN=$U$/d" $vpn_data/pki/index.txt
else echo $pem
echo "no client" docker run -v $vpn_data:/etc/openvpn --log-driver=none --rm -it $docker ovpn_revokeclient $CLIENTNAME remove
fi</code></pre>
rm -f $vpn_data_user_config/$CLIENTNAME.ovpn
rm -f $vpn_data_user_config1/$CLIENTNAME.ovpn</code></pre>
</div> </div>
</div> </div>
</div> </div>
@ -713,8 +649,7 @@ fi</code></pre>
<div class="listingblock"> <div class="listingblock">
<div class="title">show-user.sh</div> <div class="title">show-user.sh</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">. ./config <pre class="highlight"><code class="language-bash" data-lang="bash">NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME ovpn_listclients</code></pre> docker exec -it $NAME ovpn_listclients</code></pre>
</div> </div>
</div> </div>
@ -726,8 +661,7 @@ docker exec -it $NAME ovpn_listclients</code></pre>
<div class="listingblock"> <div class="listingblock">
<div class="title">show-conn-user.sh</div> <div class="title">show-conn-user.sh</div>
<div class="content"> <div class="content">
<pre class="highlight"><code class="language-bash" data-lang="bash">. ./config <pre class="highlight"><code class="language-bash" data-lang="bash">NAME=swarmlab-vpn-services # name of docker service
docker exec -it $NAME cat /tmp/openvpn-status.log</code></pre> docker exec -it $NAME cat /tmp/openvpn-status.log</code></pre>
</div> </div>
</div> </div>
@ -765,7 +699,7 @@ the path is made by walking.</p>
</div> </div>
<div id="footer"> <div id="footer">
<div id="footer-text"> <div id="footer-text">
Last updated 2020-10-21 10:03:40 UTC Last updated 2020-12-08 20:34:28 UTC
</div> </div>
</div> </div>
</body> </body>

1894
labs/sec/ex-5_iptables.adoc.pdf

File diff suppressed because it is too large
Loading…
Cancel
Save