The experimental setup consists of 3 VMs or Containers each one for a server (receiver), client (traffic generator) and firewall. Experiments are performed on both VMs and docker containers and metrics like throughput, delay for traffic and CPU, Memory utilization for firewall containers are gathered.
- iperf3
- netperf
- nuttcp
- MySQL
- Redis
- FIO (using NFS)
- Stream
Docker is a powerful platform that enables developers to automate the deployment of applications inside lightweight, portable containers. These containers encapsulate all the necessary dependencies and libraries, ensuring that the application run consistently across different environments.
This guide will help to set up the experimental topology for firewall evaluation using Docker.
Dockerfiles are used to create container images. Dockerfile mentions all the libraries that are required for experiments. Therefore, when creating the image all these libraries will be installed.
-
docker build -t <Build name> -f dockerfile.<Build name> .
-
docker network create --subnet 192.168.1.0/24 client-net docker network create --subnet 192.168.2.0/24 server-net
-
docker run -d --name <container name> --net client-net --ip <IP address> --cpus="2" --memory="1g" <Build name>Note:
- Client: 192.168.1.3
- Server: 192.168.2.3
- Firewall: 192.168.1.2 / 192.168.2.2
Also, the firewall container needs privilege mode. Therefore, the docker run for firewall container is added with --privileged tag. Client also needs privileged access because it needs to change the default gateway.
-
docker network connect server-net firewall --ip 192.168.2.2 docker exec -it firewall bash echo 1 > /proc/sys/net/ipv4/ip_forward iptables -A FORWARD -i eth0 -o eth0 -s 192.168.2.3 -d 192.168.1.3 -j ACCEPT iptables -A FORWARD -i eth0 -o eth0 -s 192.168.1.3 -d 192.168.2.3 -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.1.3 -d 192.168.2.3 -j MASQUERADE -
docker exec -it client bash ip route add 192.168.2.3 via 192.168.1.2
- 3 containers i.e. client, server and firewall
- client and firewall are in one subnet
- firewall and server are in one subnet
- packets from client goes first to firewall then to server
- packets from server to client does not go through firewall
-
Copy files from host to VM
docker cp <file location on host> <Container name>:<destination location in container> -
Copy files from container to host
dcoker cp <Container name>:<file location in container> <destination location on host>
QEMU (Quick Emulator) is an open-source machine emulator and virtualizer that enables users to run virtual machines with different architectures. It provides a powerful environment for testing, development and experimentation, allowing to emulate a wide variety of hardware platforms and guest operating systems.
This guide will help to set up the experimental topology for firewall evaluation using QEMU.
Creating virtual machine requires iso (optical disc image) of the operating system whose VM is being created. Such iso image contains all the necessary details for disk layout, operating system and other important setings. VMs are created using these iso images with the configurations for resource allocation to the VM.
-
sudo brctl addrbr br0 sudo ip addr add 192.168.10.1/24 dev br0 sudo ip link set dev br0 upNote: To connect the VMs to internet via bridge there are two options available.
-
Add the ethernet interface on the device to the bridge network with dhcp enabled. This exposes the VMs directly to VMs without any intervention from Host Operating System. But implementing this option can get tricky, if not implemented correctly the host device may loose its internet connection as the physical interface is made part of bridge. This method is usually used when VMs on different host machines are required to communicate with each other and it is heavily used in cloud environments. Avoid this by using the NAT forwarding on host when VMs on different host are not required to communicate.
-
In NAT forwarding, VMs are connected to bridge and all the traffic to and from outisde internet goes through bridge. To connect to outside internet, the bridge use NAT which utilizes Host intervention. In NAT forwarding, packets from the VMs before going to internet are first processed by Host. During this processing, host changes the header fields of the packet like Source IP Address is changed from VMs to Host's. then it also replaces the port number in Transport Layer header to some free port on host machine. Host keeps a track of this translation to forward packets coming to host device with these header values to be forwarded to VM. This is ensures that VMs are connected to internet, but do not need public IP address for them, in this case VMs are given private addresses. Using this method, VMs on the same host machine can also communicate with each other but not with VM on different host machine as the private IP addresses are not allowed in public internet.
-
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -o enp3s0 -j MASQUERADE sudo iptables -A FORWARD -i br0 -o br0 -j ACCEPT
-
sudo mkdir -p /etc/qemu/ sudo nano /etc/qemu/bridge.conf-
Add following lines to the file
allow br0 -
Ensure that qemu-bridge-helper has correct permissions
sudo chmod u+s /usr/lib/qemu/qemu-bridge-helper
-
-
qemu-img create -f qcow2 client.qcow2 10GImportant Note Regarding QEMU: When creating the VMs using QEMU, it is important to understand that by default QEMU assigns same Virtual MAC Address to each VM. This makes it impossible for them to communicate with other VMs are they all have same MAC address. Therefore, when creating new VM, make sure to give each custom unique MAC address (It may not be unique in the world, but that won't matter as the VMs are not connected to internet directly).
-
chmod +x ./vm-client.sh ./vm-client.shNote:
- Client: 192.168.10.4
- Server: 192.168.10.5
- Firewall: 192.168.10.3
Note related to bridge configuration: Another method to connect the VMs to internet is using TAP interfaces along with bridge. This requires to create TAP interface for each VM and connect it to appropriate bridge. These TAP interfaces are connected to VM during the creation of VM where the interface is provided. But when the VMs are created using bridge network mode, TAP interfaces are created by default. Therefore, it is easier to create VMs using bridge rather using TAP and having the headache to manage the TAP interface.
After creating the VMs, the devices needs to be given network configurations to communicate over internet. Use the following commands to do so:
-
ip addr showOutput shows available interfaces and associated bridge. (eg. ens3)
-
sudo nano /etc/netplan/01-netcfg.yaml -
network: version: 2 ethernets: ens3: addresses: - 192.168.10.x/24 routes: - to: default via: 192.168.10.x nameservers: addresses: - 8.8.8.8 -
sudo netplan apply
Perform the similar operations on all VMs. These configuration can be applied during the creation of VM.
-
-
Testing environment requires traffic from client to server go through firewall. Since all the VMs are on same subnet network and direct route is available between client and server, creating a default route for server IP address won't help. Since the network among these VMs can be considered as a Switched Network which forwards traffic based on MAC addresses. Therefore, traffic from client needs to first reach firewall using the MAC address of firewall.
-
sudo arp -s <IP address of server VM> <MAX address of firewall VM>This points the Server IP address to MAC of firewall, forwarding the traffic to firewall first.
-
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -A FORWARD -s <IP of client> -d <IP of server> -j ACCEPT
-
- 3 VMs i.e. client, server and firewall
- packets from client goes first to firewall then to server
- packets from server to client does not go through firewall
- On client VM
Run following command to install all the required benchmarks ``` sudo apt-get install iperf3 netperf nuttcp redis-tools sysbench mysql-client fio traceroute ```
- On server VM
Run following command to install all the required benchmarks ``` sudo apt-get install iperf3 netperf nuttcp redis-server mysql-server fio ```
<br>
Configure mysql user and database for experiments
```
sudo service mysql start
sudo mysql -e "ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';"
sudo mysql -e "CREATE USER 'root'@'%' IDENTIFIED BY 'password';"
sudo mysql -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' GRANT OPTION;"
sudo mysql -e "FLUSH PRIVILEGES;"
sudo sed -i "s/bind-address.*/bind-address = 0.0.0.0/" /etc/mysql/mysql.conf.d/mysqld.cnf
sudo service mysql restart
sudo mysql -u root -p'password' -e "CREATE DATABASE benchmark;"
```
<br>
Configure Redis to allow remote connections
```
sudo sed -i "s/^bind.*/bind 0.0.0.0/" /etc/redis/redis.conf
sudo service redis-server restart
```
-
Install ssh server on VM
sudo apt-get install openssh-server -
Copy files from host to VM
scp <file location on host> <VM username>@<VM IP>:<destination location on VM> -
Copy files from VM to host
scp <VM username>@<VM IP>:<file location on VM> <destination location on host> -
Use '-r' flag to copy directories