-- MikeGore - 12 Oct 2005

Mike Gore, 20 Nov 2003

What

How to set up User Mode Linux images (UML) as well as UML networking to the real world.

References

Notes

Quick start

Revised summary

#!/bin/bash
#
chmod +x linux
cp -f linux /usr/bin
cp -f dot-config /usr/lib/uml/config
chmod u+s /usr/bin/uml_net
chmod g+rw,o+rw /dev/net/tun
bunzip2 Debian-3.0r0.ext2.bz2
echo ... this fs is almost full, to expand fs to 512mb is...
dd if=/dev/zero of=Debian-3.0r0.ext2 bs=1 count=0 seek=512M
e2fsck -f -p -y Debian-3.0r0.ext2
resize2fs -p Debian-3.0r0.ext2
e2fsck -f -p -y  Debian-3.0r0.ext2
  • To run the UML image run this script
#!/bin/bash
#
echo Please read http://project.honeynet.org/papers/uml/
echo Note: 192.168.0.254 is and added host system address as seen by the UML 
echo - and so this is not the real internet address of our host system 
echo   but just a virtual internal address and network
echo - This is also the new gateway for the UML to talk to us
echo - We must also set the UML address itself in the same 192.168.0.x range,
echo    but that has to be done under the running image
echo Ok Here goes...
linux ubd0=Debian-3.0r0.ext2.diff,Debian-3.0r0.ext2 eth0=tuntap,,,192.168.0.254
  • Now we have a console to our Debian UML so now lets add the networking
(note 192.168.0.254 is our host systems address)
  • We add an address , in this case, 192.168.0.144 on the UML under the file
/etc/network/interfaces
# Restart using /etc/init.d/networking restart
auto lo eth0

iface lo inet loopback

iface eth0 inet static
        address 192.168.0.144
        network 192.168.0.0
        gateway 192.168.0.254
        broadcast 192.168.0.255
        netmask 255.255.255.0 
  • Add the follwing on the UML
/etc/hosts
# gateway is the host, change to suite
127.0.0.1 localhost
192.168.0.144 debian
192.168.0.254 gateway
  • Add the following on the HOST
/etc/hosts
192.168.0.144   debian
  • Add the following on the HOST
/etc/hosts.allow
ALL:   192.168.0.
  • We setup resolv.conf so the system can contact name servers - change to suit
nameserver 192.168.1.1
nameserver 129.97.128.100
nameserver 129.97.128.10
  • We make a hostname for the by adding "debian" to the UML
/etc/hosts
# Restart using /etc/init.d/hostname.sh
debian
  • We add access via the UML /etc/hosts.allow by adding
ALL: ALL
# Allow incoming network traffic by adding ALL:ALL to /etc/hosts.allow
# WARNING - you want to tie this down way more after you have tested the 
# network! ALL: ALL means all services are open (bad idea in the long run)
  • If things are well you can ping the host with 192.168.0.144 and "debian" can ping 192.168.0.254. To allow the UML to get to the real internet we have to use IP tables. A really god start is to get "Stronger Firewall" part of the Linux IP Masqurade HOWTO at http://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/stronger-firewall-examples.html
  • Place the code section below (See Firewall) near the end of your firewall rule set. Note tap[012] are created on the fly by the UML along with the routes. Below $EXTIF is the device on the real internet. eth0 $UNIVERSE is set to 0.0.0.0/0 by the stronger firewall script. -You can tie this down to suit your security needs. The very last line needs to be uncommented if it is not already enabled in your stronger firewall script. It masqurades the tap[012] traffic out to the real would along with any other network cards on your system.
  • On my system I just had /etc/init.d/iptables call this firewall script after it resets all of the chains

DEBUGGING

  • Try pinging the host side IP 192.168.0.254 from the debian UML session and ping the UML session 192.168.0.144 from the host
  • IF THIS DOES NOT WORK shut down the firewall and repeat the test. If it works you have an input or
ouput rule in the existing set of chains that is overriding these additions. If so - look for a catchall rule at the end of the input and output section of rules and try disabling the rule for testing...

Firewall

# UML
UMLNET=192.168.0.0/24
# Note EXTIF is your Wide are network device like eth0, etc

$IPTABLES -A INPUT  -i tap0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT  -o tap0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT  -i tap1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT  -o tap1 -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT  -i tap2 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT  -o tap2 -d $UNIVERSE -j ACCEPT

# Allow FULL access to and from the UML - you likely want to lock this
# down after testing
$IPTABLES -A INPUT -s $UMLNET -d $UNIVERSE -j ACCEPT
$IPTABLES -A INPUT -s $UNIVERSE -d $UMLNET -j ACCEPT

# Forward to/from the UML
$IPTABLES -A FORWARD -i $EXTIF -o tap0 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i tap0 -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o tap1 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i tap1 -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o tap2 -m state --state ESTABLISHED,RELATED \
 -j ACCEPT

$IPTABLES -A FORWARD -i tap2 -o $EXTIF -j ACCEPT

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# ===============================================================
# ***** Note ****
# Move your "Catch all rules" at the end of the existing Input and Output
# section down here. Keep in mind that things not explicitly allowed are
# denied so make

# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

SOFTWARE INSTALL

  • Update APT manager atp-get update
  • Get SSH apt-get install ssh
Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r3 - 2006-02-08 - IsaacMorland
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback