Mike Gore, 20 Nov 2003
#!/bin/bash # chmod +x linux cp -f linux /usr/bin cp -f dot-config /usr/lib/uml/config chmod u+s /usr/bin/uml_net chmod g+rw,o+rw /dev/net/tun bunzip2 Debian-3.0r0.ext2.bz2 echo ... this fs is almost full, to expand fs to 512mb is... dd if=/dev/zero of=Debian-3.0r0.ext2 bs=1 count=0 seek=512M e2fsck -f -p -y Debian-3.0r0.ext2 resize2fs -p Debian-3.0r0.ext2 e2fsck -f -p -y Debian-3.0r0.ext2
#!/bin/bash # echo Please read http://project.honeynet.org/papers/uml/ echo Note: 192.168.0.254 is and added host system address as seen by the UML echo - and so this is not the real internet address of our host system echo but just a virtual internal address and network echo - This is also the new gateway for the UML to talk to us echo - We must also set the UML address itself in the same 192.168.0.x range, echo but that has to be done under the running image echo Ok Here goes... linux ubd0=Debian-3.0r0.ext2.diff,Debian-3.0r0.ext2 eth0=tuntap,,,192.168.0.254
# Restart using /etc/init.d/networking restart auto lo eth0 iface lo inet loopback iface eth0 inet static address 192.168.0.144 network 192.168.0.0 gateway 192.168.0.254 broadcast 192.168.0.255 netmask 255.255.255.0
# gateway is the host, change to suite 127.0.0.1 localhost 192.168.0.144 debian 192.168.0.254 gateway
192.168.0.144 debian
ALL: 192.168.0.
nameserver 192.168.1.1 nameserver 129.97.128.100 nameserver 129.97.128.10
# Restart using /etc/init.d/hostname.sh debian
ALL: ALL # Allow incoming network traffic by adding ALL:ALL to /etc/hosts.allow # WARNING - you want to tie this down way more after you have tested the # network! ALL: ALL means all services are open (bad idea in the long run)
# UML UMLNET=192.168.0.0/24 # Note EXTIF is your Wide are network device like eth0, etc $IPTABLES -A INPUT -i tap0 -d $UNIVERSE -j ACCEPT $IPTABLES -A OUTPUT -o tap0 -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i tap1 -d $UNIVERSE -j ACCEPT $IPTABLES -A OUTPUT -o tap1 -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -i tap2 -d $UNIVERSE -j ACCEPT $IPTABLES -A OUTPUT -o tap2 -d $UNIVERSE -j ACCEPT # Allow FULL access to and from the UML - you likely want to lock this # down after testing $IPTABLES -A INPUT -s $UMLNET -d $UNIVERSE -j ACCEPT $IPTABLES -A INPUT -s $UNIVERSE -d $UMLNET -j ACCEPT # Forward to/from the UML $IPTABLES -A FORWARD -i $EXTIF -o tap0 -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i tap0 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o tap1 -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i tap1 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o tap2 -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i tap2 -o $EXTIF -j ACCEPT $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # =============================================================== # ***** Note **** # Move your "Catch all rules" at the end of the existing Input and Output # section down here. Keep in mind that things not explicitly allowed are # denied so make # Catch all rule, all other incoming is denied and logged. # $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it # Catch all rule, all other outgoing is denied and logged. # $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it