Last updated: 4 Nov 2013
Originally written by Arsenio Ferreria (see ticket 4696).
See also: Using VCL Virtual Networks.
openssl-devel is for cryptcab, while libpcap-devel is for pcap/pdump support.
yum -y install gcc-c++ openssl-devel libpcap-devel
cd /opt && tar -zxvf ~/vde2-2.3.2.tar.gz
cd /opt/vde2-2.3.2/src/slirpvde vi bootp.h # Change: #define NB_BOOTP_CLIENTS 16 # to: #define NB_BOOTP_CLIENTS 64
--enable-experimental allows the addition of plugins and other special features.
cd vde2-2.3.2 ./configure --enable-experimental make
make install
One-time setup:
ln -sf /usr/local/lib/libvdeplug.so.3.0.1 /lib/libvdeplug.so
ln -sf /usr/local/lib/libvdeplug.so.3.0.1 /lib64/libvdeplug.so
As the unprivileged user (i.e., NOT as root) who owns the VM, start the switch (-s) as a daemon (-d) with a management interface (-M):
vde_switch -d -s /tmp/my_switch1 -M /tmp/switch_mgmt
For example, for a VM named "myvm":
VBoxManage modifyvm myvm --nic1 generic --nicgenericdrv1 VDE VBoxManage modifyvm myvm --nicproperty1 network=/tmp/switch1
Make sure the --nictype1 hardware is compatible with your OS. For example, Windows 7 should use --nictype1 82540EM (for example) and not the older Am79C970A or Am79C973 NICs, because Windows 7 does not have drivers for the older NICs.
If you want a specific port on the switch (ports start at 0), e.g., port 3:
VBoxManage modifyvm myvm --nicproperty1 network=/tmp/switch1[3]
One-time preparations:
ssh-keygen -o -t rsa -f ~/.ssh/id_rsa -N '' ssh-copy-id -i ~/.ssh/id_rsa.pub user@128.208.250.2
vi /etc/sysconfig/iptables # For ssh, port 22 must be open: -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT # For cryptcab, the desired port using UDP must be open; e.g., 54000 -A INPUT -m state --state NEW -m udp -p udp --dport 54000 -j ACCEPT # Save the file changes service iptables restart
Distributing the network by connecting VDE services across hosts, run as the unprivileged user:
Use dpipe to connect switches (for example, from host1 to host2 at 128.208.250.2):
dpipe vde_plug /tmp/my_switch1 = ssh user@128.208.250.2 vde_plug /tmp/my_switch2
cryptcab still requires ssh configured for public keys -- it uses ssh for authentication only, then switches to its udp protocol for data transmission.
Since cryptcab is not a well-known service like sshd, which runs at startup, we need to explicitly run a service to wait for udp traffic from clients.
vde_cryptcab -vv -s /tmp/my_switch1 -p 54000
vde_cryptcab -vv -s /tmp/my_switch1 -c user@128.208.250.2:54000
For multiple connections, connect pairs using each host.
vdeterm /tmp/switch_mgmt
The Vyatta network appliance is the preferred way to provide network services and IP routing. It is too complicated to explain here; some information is present in the tickets.
However, the general scheme is to define a VM for Vyatta (512MB RAM, 1GB hard disk, two NICs, one floppy for backup) and install Vyatta from the Live CD onto the virtual hard drive. The first NIC is configured to be bridged to the host's NIC. The second NIC is attached to the VDE network.
Once the VDE network is up, the Vyatta VM is started.
Vyatta is then configured. First, we defined ethernet interfaces to match the ones we have (MAC addresses from the VM NIC). The first NIC's internal interface uses a public IP address -- this is the public side. The second NIC is for the private side, and is configured with a private subnet.
Next, we define firewall rules which will allow DHCP traffic only from the private subnet to the Vyatta VM -- any requests from the outside are blocked. Other firewall rules, such as which ports can pass through the firewall, are also set. Anything else is dropped.
The DHCP service can then be defined for the internal private subnet. DNS server(s), router IP address, lease time, and range of IP addresses to lease are specified.
For NAT, we specify a rule that defines where the packets can go (anywhere: 0.0.0.0/0), mapping the outbound interface to the public one, telling what subnet to allow NAT to operate over, and specifying the type of NAT to be done.
A gateway address for the router is defined.
Zone policies allow traffic to pass only from from the interior ("student") to the exterior ("public"), using the firewall rules defined.
Here is an example Vyatta config file:
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name FWDHCP {
default-action drop
rule 1 {
action reject
destination {
port bootpc
}
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 10 {
action reject
destination {
port bootps
}
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 20 {
action accept
destination {
address 0.0.0.0/0
}
protocol all
source {
address 0.0.0.0/0
}
}
}
name allow-established {
default-action drop
description "Allow established and related connections, except DHCP"
rule 1 {
action reject
destination {
port bootpc
}
log enable
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 2 {
action reject
destination {
port bootps
}
log enable
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 9999 {
action reject
log enable
}
}
name dns-only {
default-action drop
description "Allow DNS connections"
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 10 {
action accept
destination {
address 128.95.120.1
port 53
}
protocol udp
}
rule 15 {
action accept
destination {
address 128.95.112.1
port 53
}
protocol udp
}
rule 9999 {
action reject
log enable
}
}
name to-public {
default-action drop
description "Allow authorized traffic to public zone"
rule 1 {
action accept
state {
established enable
related enable
}
}
rule 10 {
action accept
destination {
port 22,80,443
}
protocol tcp
}
rule 20 {
action accept
destination {
address 128.95.120.1
port 53
}
protocol udp
}
rule 30 {
action accept
destination {
address 128.95.112.1
port 53
}
protocol udp
}
rule 9999 {
action reject
log enable
}
}
name to-student {
default-action drop
description "Allow established and related to student zone, except DHCP from outside"
rule 10 {
action accept
destination {
port bootpc
}
protocol tcp
source {
address 10.50.4.0/24
}
}
rule 20 {
action reject
destination {
port bootpc
}
log enable
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 30 {
action accept
destination {
port bootps
}
protocol tcp
source {
address 10.50.4.0/24
}
}
rule 40 {
action reject
destination {
port bootps
}
log enable
protocol tcp
source {
address 0.0.0.0/0
}
}
rule 50 {
action accept
state {
established enable
related enable
}
}
rule 9999 {
action reject
log enable
}
}
name to-target {
default-action drop
description "Allow all traffic to target zone"
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth4 {
address 10.50.4.1/24
duplex auto
hw-id 08:00:27:f8:46:b0
smp_affinity auto
speed auto
}
ethernet eth5 {
address 128.208.250.74/24
duplex auto
hw-id 08:00:27:32:89:8c
smp_affinity auto
speed auto
}
}
nat {
source {
rule 10 {
destination {
address 0.0.0.0/0
}
outbound-interface eth5
protocol all
source {
address 10.50.4.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 128.208.250.100
}
}
}
service {
dhcp-server {
disabled false
shared-network-name tinfo504 {
authoritative disable
subnet 10.50.4.0/24 {
default-router 10.50.4.1
dns-server 128.95.120.1
lease 86400
start 10.50.4.101 {
stop 10.50.4.254
}
}
}
}
ssh {
allow-root {
}
port 22
}
}
system {
config-management {
commit-revisions 20
}
conntrack {
expect-table-size 4096
hash-size 4096
table-size 32768
tcp {
half-open-connections 512
loose enable
max-retrans 3
}
}
console {
}
host-name vrb
login {
user vyatta {
authentication {
encrypted-password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
}
level admin
}
}
ntp {
server 0.vyatta.pool.ntp.org
server 1.vyatta.pool.ntp.org
server 2.vyatta.pool.ntp.org
}
package {
auto-sync 1
repository community {
components main
distribution stable
password ""
url http://packages.vyatta.com/vyatta
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone US/Pacific
}
zone-policy {
zone public {
default-action drop
description "Private zone (target systems)"
from student {
firewall {
name to-public
}
}
interface eth5
}
zone student {
default-action drop
description "Private zone (student systems)"
from public {
firewall {
name to-student
}
}
interface eth4
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "quagga@2:conntrack-sync@1:vrrp@1:dhcp-relay@1:wanloadbalance@3:webgui@1:system@6:qos@1:config-management@1:webproxy@1:ipsec@4:dhcp-server@4:nat@4:conntrack@1:zone-policy@1:firewall@5:cluster@1" === */
/* Release version: VC6.5R1 */
Neither slirpvde nor slirpvde6 are very robust -- many memory leaks and other problems.
Using slirpvde to provide both a DHCP server and a NAT device to the outside world.
The dhcp option specifies the starting IP address to provide to dhcp clients. The port number is an unused port on switch to which to attach this slirpvde device.
slirpvde -d -s /tmp/my_switch1 --dhcp=10.1.1.44 --port 10
Verify that slirpvde is connected by using the management terminal:
vdeterm /tmp/switch_mgmt
and ensure that slirpvde is at its own port, e.g., port[10]:
port/allprint
Still considered experimental; latest source code in:
wget http://sourceforge.net/code-snapshots/svn/v/vi/view-os/code/view-os-code-1120-branches-rd235.zip
yum -y install autoconf automake libtool subversion patch
autoreconf --install
./configure
make
make install
Change slirpvde6/bootp.h for NB_BOOTP_CLIENTS to 64, and slirpvde6/slirpvde6.c for vdhcp_naddr to 64 (not necessary if use --dhcp x.x.x.x/nn, because nn is run-time value for vdchp_naddr).
autoreconf --install
./configure
make
make install
export LD_LIBRARY_PATH=/usr/local/lib
cd /usr/local/bin
./slirpvde6 -s /tmp/tinfo250a_1.vdesw_slirp -dhcp=10.250.1.101 -host 10.250.1.1/24
vdecmd -s /tmp/switch_mgmt port/print
Issue management command "cmd" directly to switch or wirefilter.
dpipe vde_plug /tmp/switch1 = wirefilter -M /tmp/wfm = vde_plug /tmp/switch2 &
Control noise/bandwidth/loss characteristics of the virtual wire connecting the two switches by sending commands to /tmp/wfm via vdeterm or vdecmd.
vde_l3 -v /tmp/switch_mgmt:192.168.0.1/24 -M /tmp/my_switch.vde_l3m
Issue layer 3 routing commands using "vdeterm /tmp/my_switch.vde_l3m" or vdecmd.
For better performance, one should lower the MTU of a tap device attached to the switch, on each side. For example:
ifconfig tap0 mtu 1450