CORE Network Tutorial

This is a Tutorial to get the base knowledge of CORE framework. The configuration of this Tutorial is also available for download in sources folder.

1. Install and Run CORE Network:

   • 1.1 Please download packages or VMware image available from CORE Network official download page.
   • 1.2 Install daemon and gui packages. Hint: On ubuntu 16.04 and ubuntu 18.04 we got trusty packages to work.
   • 1.3 Run CORE daemon /etc/init.d/core-daemon start.

2. Add a Router and rename it firewall-router, then add a physical interface to get a bridge on a real ifname on your workstation:

   • 2.1 Configure (double click) the physical interface and select an ethernet interface of your workstation;
   • 2.2 Remove ipv6 from firewall_router if you don't need it;
   • 2.3 Using link tool link firewall-router to the physical interface;
   • Hint: do not use wireless interface for bridging

   Problem: Every time you stop and start your CORE session the Bridge ifname will change on your workstation. Use a command to keep it handy.

   BRIFNAME=$(ifconfig | grep  "^b.[0-9]\{4\}.[a-z0-9]*"| awk -F' ' {'print $1'})
   

   To make this persistent in a CORE session, as other preferencies, go to Session -> Hooks and configure as follow in picture:

3. Run this first test.

   • 3.1 On CORE Network window, run the emulation session clicking on the green arrow, in the left menu.
   • 3.2 Open a terminal on your workstation, check available interfaces (ifconfig or ip ad sh). You will see at least two brand new interfaces, veth* and b.*.
   • 3.3 On your Workstation run brctl show to check what interfaces is a bridge (probably b.). You will also see that veth is the interfaces linked to this bridge.

   

   • 3.4 On your Workstation run tcpdump -i $BRIFNAME, you will see traffic from the firewall_router like DHCP/BOOT and maybe some ARP request too. Double click on firewall_router, it will open a terminal, see network the network interfaces and check its HWaddress, it's the same you get in the tcpdump stdout.

   # on your workstation
   tcpdump -i $BRIFNAME
   tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
   listening on b.42777.a7, link-type EN10MB (Ethernet), capture size 262144 bytes
   16:53:35.441144 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:00:aa:00:00 (oui Ethernet), length 300
   16:53:44.446805 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP, Request from 00:00:00:aa:00:00 (oui Ethernet), length 300
   

4. Configure the LAN 10.0.0.0/24 to link your workstation to firewall_router. Remember that $BRIFNAME is only a variable name, be sure that this will have a different value on your setup!

   • 4.1 On your Workstation configure the ip with ifconfig $BRIFNAME 10.0.0.254/24 or ip ad ch 10.0.0.254/24 dev $BRIFNAME
   • 4.2 On your Workstation ping 10.0.0.1 (firewall_router). Good news, a working layer2 was created from your workstation to your CORE Network session.
   • 4.3 Disable unecessary routing services, all those that are not needed in this tutorial.

5. Enable supernetting, firewall_router must reach internet. All these task must be executed on your workstation.

   • 5.1 Enable ip_forward echo 1 > /proc/sys/net/ipv4/ip_forward.
   • 5.2 NAT all the traffic from the bridge to internet using iptables. What's your ifname linked to internet? That is the output interface:
     • iptables -t nat -A POSTROUTING -s 10.0.0.1 -o wlp2s0 -j MASQUERADE;
     • 10.0.0.1 is the ip of firewall_router;
     • wlp2s0 is the wireless interface that I'm using on my workstation to reach internet;
   • 5.3 Configure a default gateway to firewall_router with command route add default gw 10.0.0.254.
   • 5.4 In firewall-router shell test a foreign ping to 8.8.8.8 or tracepath -n 8.8.8.8, you must see it work. Make it persistent.

6. Create a persistent configuration in firewall_router with CORE Network hook services.

   • 6.1 This is an example to make a good resolv.conf into the firewall_router.

7. Create Collision Zones, the switched LANs in your CORE Network project.

   • 7.1 Add network switches to simulate the real world. Remember that every switch will create a bridge interface in your Workstation, including all the interfaces linked in. This means that we can always sniff the traffic directly in the emulated network switch. Rename the switch Aswitch and Bswitch.
   • 7.2 Create two nodes, one in the A LAN and another in the B LAN.
   • 7.3 In A1 and B1 configuration change services.DefaultRoute configuring the correct firewall_router ip.
   • 7.4 Run a ]tracepath` from A1 to B1 and viceversa, this is a test to check if networks are now reachable each other through the firewall_router.

8. Add some firewall rule in firewall_router configuration:

   • 8.1 Network A must reach internet and not B.
     • 8.1.1 Enable services.firewall in firewall_router.
     • 8.1.2 Reject traffic in FORWARD chain, from A to B.

       # IMPORTANT: accept returning packets from B to A, otherwise packets from B will not be forwarded
       # this means that if B reach A the forward will works because it was previously established 
       iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
       
       # REJECT traffic from A to B, ip_forward will works but this rule will reject the packets
       iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -j REJECT
       

     • 8.1.3 Add a masquerade rule to NAT all the traffic from A to Internet.

       iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
       

   • 8.2 Network B must reach Internet and also A.
     • 8.2.1 Add masquerade rule to NAT all the traffic from B to Internet

       iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -o eth0 -j MASQUERADE
       

Result

Remember: in ~/.core/configs you will also find more complex examples.

TODO

• Make the tasks described in 8. without iptables but using Linux Advanced Routing and blackholes.
• Please contribute, suggest other basic use cases, opening an Issue or Pull Request.

Resources

• http://www.brianlinkletter.com/core-network-emulator-test-drive/
• http://www.brianlinkletter.com/core-network-emulator-services-overview/
• http://www.brianlinkletter.com/core-network-emulator-install-network-services/