From c7d6d1453d919bdb9363841b488147fce58e4163 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Mon, 12 Aug 2024 10:15:00 +0200 Subject: [PATCH 01/15] add default variables for admin and user cidr --- .gitignore | 1 + terragrunt/videoserver/module/variables.tf | 13 +++++++++++++ 2 files changed, 14 insertions(+) diff --git a/.gitignore b/.gitignore index 2adb39c..20608e2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ roles/ venv/ +.venv/ .env .terragrunt-cache/ .terraform.lock.hcl diff --git a/terragrunt/videoserver/module/variables.tf b/terragrunt/videoserver/module/variables.tf index bda0f3b..ae00a6b 100644 --- a/terragrunt/videoserver/module/variables.tf +++ b/terragrunt/videoserver/module/variables.tf @@ -8,3 +8,16 @@ variable "dmz_cidr" { description = "CIDR of the dmz subnet" default = "172.17.100.0/24" } + + +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24 " +} + +variable "user_cidr" { + type = string + description = "CIDR of the user subnet" + default = "10.11.0.0/16" +} \ No newline at end of file From 1010dc37d5262f6b2b97362d9023df42409a23f0 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Mon, 12 Aug 2024 10:18:22 +0200 Subject: [PATCH 02/15] add default variables for admin and user cidr to bootstrap --- terragrunt/bootstrap/module/variables.tf | 12 ++++++++++++ terragrunt/videoserver/module/variables.tf | 13 ------------- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index f175447..f736b26 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -87,3 +87,15 @@ variable "dmz_cidr" { description = "CIDR of the dmz subnet" default = "172.17.100.0/24" } + +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24 " +} + +variable "user_cidr" { + type = string + description = "CIDR of the user subnet" + default = "10.11.0.0/16" +} diff --git a/terragrunt/videoserver/module/variables.tf b/terragrunt/videoserver/module/variables.tf index ae00a6b..bda0f3b 100644 --- a/terragrunt/videoserver/module/variables.tf +++ b/terragrunt/videoserver/module/variables.tf @@ -8,16 +8,3 @@ variable "dmz_cidr" { description = "CIDR of the dmz subnet" default = "172.17.100.0/24" } - - -variable "admin_cidr" { - type = string - description = "CIDR of the admin subnet" - default = "10.12.0.0/24 " -} - -variable "user_cidr" { - type = string - description = "CIDR of the user subnet" - default = "10.11.0.0/16" -} \ No newline at end of file From a1da4a820aac5a11fcf693753bfe6552402efc35 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Mon, 12 Aug 2024 10:23:03 +0200 Subject: [PATCH 03/15] create network admin --- terragrunt/bootstrap/module/main.tf | 42 ++++++++++++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index b2df524..eadaefc 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -130,6 +130,33 @@ resource "openstack_networking_subnet_v2" "dmz_subnet" { } } +################################################################### +# +# CREATE NETWORK "ADMIN" +# +resource "openstack_networking_network_v2" "admin" { + name = "admin" + port_security_enabled = "false" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "admin_subnet" { + name = "admin_subnet" + network_id = "${openstack_networking_network_v2.admin.id}" + cidr = var.admin_cidr + ip_version = 4 + gateway_ip = cidrhost(var.admin_cidr,254) + dns_nameservers = [cidrhost(var.admin_cidr,254)] + + + # make the allocation_pool smaller for gateway_ip + allocation_pool { + start = cidrhost(var.admin_cidr,20) + end = cidrhost(var.admin_cidr,200) + } +} + + #################################################################### # # CREATE INSTANCE for "Internet-Firewall" @@ -180,11 +207,17 @@ resource "openstack_compute_instance_v2" "inet-fw" { fixed_ip_v4 = cidrhost(var.dmz_cidr,254) } + network { + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,254) + } + depends_on = [ openstack_compute_instance_v2.inet-dns, openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, - openstack_networking_network_v2.lan + openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin ] } @@ -218,6 +251,7 @@ locals { mgmt_internet_ip = cidrhost(var.inet_cidr, 201) # Static IP for mgmt host in internet network mgmt_lan_ip = cidrhost(var.lan_cidr, 201) # Static IP for mgmt host in lan network mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in dmz network + mgmt_admin_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in admin network } resource "openstack_compute_instance_v2" "mgmt" { @@ -242,10 +276,16 @@ resource "openstack_compute_instance_v2" "mgmt" { fixed_ip_v4 = local.mgmt_dmz_ip } + network { + name = "admin" + fixed_ip_v4 = local.mgmt_admin_ip + } + depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan + openstack_networking_network_v2.admin ] } From caff5f057aafb137b5c2a7164c5c183457f1b8e1 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 10:32:04 +0200 Subject: [PATCH 04/15] add user network --- terragrunt/bootstrap/module/main.tf | 48 ++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 4 deletions(-) diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index eadaefc..22a7f0a 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -157,6 +157,33 @@ resource "openstack_networking_subnet_v2" "admin_subnet" { } +################################################################### +# +# CREATE NETWORK "USER" +# +resource "openstack_networking_network_v2" "user" { + name = "user" + port_security_enabled = "false" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "user_subnet" { + name = "user_subnet" + network_id = "${openstack_networking_network_v2.user.id}" + cidr = var.user_cidr + ip_version = 4 + gateway_ip = cidrhost(var.user_cidr,254) + dns_nameservers = [cidrhost(var.user_cidr,254)] + + + # make the allocation_pool smaller for gateway_ip + allocation_pool { + start = cidrhost(var.user_cidr,20) + end = cidrhost(var.user_cidr,200) + } +} + + #################################################################### # # CREATE INSTANCE for "Internet-Firewall" @@ -212,12 +239,18 @@ resource "openstack_compute_instance_v2" "inet-fw" { fixed_ip_v4 = cidrhost(var.admin_cidr,254) } + network { + name = "user" + fixed_ip_v4 = cidrhost(var.user_cidr,254) + } + depends_on = [ openstack_compute_instance_v2.inet-dns, openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan, - openstack_networking_network_v2.admin + openstack_networking_network_v2.admin, + openstack_networking_network_v2.user, ] } @@ -251,7 +284,8 @@ locals { mgmt_internet_ip = cidrhost(var.inet_cidr, 201) # Static IP for mgmt host in internet network mgmt_lan_ip = cidrhost(var.lan_cidr, 201) # Static IP for mgmt host in lan network mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in dmz network - mgmt_admin_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in admin network + mgmt_admin_ip = cidrhost(var.admin_cidr, 201) # Static IP for mgmt host in admin network + mgmt_user_ip = cidrhost(var.user_cidr, 201) # Static IP for mgmt host in user network } resource "openstack_compute_instance_v2" "mgmt" { @@ -281,11 +315,17 @@ resource "openstack_compute_instance_v2" "mgmt" { fixed_ip_v4 = local.mgmt_admin_ip } + network { + name = "user" + fixed_ip_v4 = local.mgmt_user_ip + } + depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, - openstack_networking_network_v2.lan - openstack_networking_network_v2.admin + openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin, + openstack_networking_network_v2.user ] } From 50ee5df8b2a6e05389d57716eb1aab5c2a8a525e Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 11:14:26 +0200 Subject: [PATCH 05/15] add firewallrules for admin network --- ansible/deploy/firewall/firewall.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ansible/deploy/firewall/firewall.yml b/ansible/deploy/firewall/firewall.yml index ad7ecf7..10bb085 100644 --- a/ansible/deploy/firewall/firewall.yml +++ b/ansible/deploy/firewall/firewall.yml @@ -29,10 +29,16 @@ type: ipv4, interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } + - { + name: admin, + type: ipv4, + interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } + } policy: - { source: fw, dest: all, policy: ACCEPT } - { source: lan, dest: inet, policy: ACCEPT } - { source: dmz, dest: inet, policy: ACCEPT } + - { source: admin, dest: all, policy: ACCEPT } - THIS POLICY HAS TO BE THE LAST - { source: all, dest: all, policy: REJECT, log: info } rules: @@ -40,6 +46,7 @@ - Permit access to SSH - { action: SSH/ACCEPT, source: lan, dest: fw } - { action: SSH/ACCEPT, source: dmz, dest: fw } + - { action: SSH/ACCEPT, source: admin, dest: fw } # - { action: ACCEPT, source: inet, dest: fw, proto: tcp, dest_port: "443,8006" } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } @@ -51,5 +58,6 @@ - { name: INETIF, value: ens3 } - { name: LANIF, value: ens4 } - { name: DMZIF, value: ens5 } + - { name: ADMINIF, value: ens6 } - role: auditd From 3c2571904590d0e7393675851cf08783392696dc Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 13:17:38 +0200 Subject: [PATCH 06/15] put videoserver admin pc in admin network --- terragrunt/videoserver/module/adminpc.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index a879f2f..e3d2832 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -35,8 +35,8 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,222) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,222) } } From 7995a8f954d36579777ea4711e2c0e4b2d557216 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 13:26:47 +0200 Subject: [PATCH 07/15] all admin pcs in admin network --- terragrunt/repository/module/adminpc.tf | 4 ++-- terragrunt/videoserver/module/adminpc_variables.tf | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terragrunt/repository/module/adminpc.tf b/terragrunt/repository/module/adminpc.tf index a2236f0..25d8d13 100644 --- a/terragrunt/repository/module/adminpc.tf +++ b/terragrunt/repository/module/adminpc.tf @@ -38,8 +38,8 @@ resource "openstack_compute_instance_v2" "adminpc2" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,223) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,223) } } diff --git a/terragrunt/videoserver/module/adminpc_variables.tf b/terragrunt/videoserver/module/adminpc_variables.tf index f0c926c..0f74207 100644 --- a/terragrunt/videoserver/module/adminpc_variables.tf +++ b/terragrunt/videoserver/module/adminpc_variables.tf @@ -15,8 +15,8 @@ variable "adminpc_userdata" { default = null } -variable "lan_cidr" { +variable "admin_cidr" { type = string - description = "CIDR of the dmz subnet" - default = "192.168.100.0/24" + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" } From 6dd725cfc77ceee045deaa8e7beca9cc4f0d43b1 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 13:34:20 +0200 Subject: [PATCH 08/15] add admin cidr to admin variables --- terragrunt/repository/module/adminpc_variables.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terragrunt/repository/module/adminpc_variables.tf b/terragrunt/repository/module/adminpc_variables.tf index f2db740..c4a4be6 100644 --- a/terragrunt/repository/module/adminpc_variables.tf +++ b/terragrunt/repository/module/adminpc_variables.tf @@ -15,3 +15,8 @@ variable "adminpc_userdata" { default = null } +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" +} \ No newline at end of file From 04ea2e13507156da6f21b3007ec42c985d057d21 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 13:40:22 +0200 Subject: [PATCH 09/15] remove trailing space --- terragrunt/bootstrap/module/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index f736b26..f41d755 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -91,7 +91,7 @@ variable "dmz_cidr" { variable "admin_cidr" { type = string description = "CIDR of the admin subnet" - default = "10.12.0.0/24 " + default = "10.12.0.0/24" } variable "user_cidr" { From 0298d40b12dfce2a9cf5bc6192f32efc56a32953 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 15:04:09 +0200 Subject: [PATCH 10/15] add admin network to shorewall config --- packer/firewall/playbook/main.yaml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index 3f59cc3..05fbce1 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -11,13 +11,6 @@ # pass: aecid aeciduser_pass: "$6$9AqxTPJqYsFXwgPN$xAC4y1Vndk00EaBCuFcJC37BYDYYVAgt9SHymg15KSdKddZnwG.SsQaJvHarH4DYQj3tuboeLa4G5EfL7itcC0" - role: suricata - - role: dnsmasq - vars: - dnsmasq_config: - - { name: "logging", content: "log-queries" } - - { name: "puppetserver", content: "address=/puppet.{{ internal_domain }}/172.17.100.122" } - - { name: "linuxshare", content: "address=/linuxshare.{{ internal_domain }}/192.168.100.23" } - - { name: "kafka", content: "address=/kafka.{{ internal_domain }}/192.168.100.10" } dnsmasq_systemd_resolved_disable: true - role: shorewall vars: @@ -40,8 +33,14 @@ type: ipv4, interface: { name: $DMZIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } } + - { + name: admin, + type: ipv4, + interface: { name: $ADMINIF, broadcast: detect, options: "routeback,bridge,nosmurfs" } + } policy: - { source: fw, dest: all, policy: ACCEPT } + - { source: admin, dest: all, policy: ACCEPT } - { source: lan, dest: inet, policy: ACCEPT } - { source: lan, dest: dmz, policy: ACCEPT } - { source: dmz, dest: inet, policy: ACCEPT } @@ -64,9 +63,11 @@ - Permit access to SSH - { action: SSH/ACCEPT, source: lan, dest: fw } - { action: SSH/ACCEPT, source: dmz, dest: fw } + - { action: SSH/ACCEPT, source: admin, dest: fw } - Permit access to DNS - { action: DNS/ACCEPT, source: lan, dest: fw } - { action: DNS/ACCEPT, source: dmz, dest: fw } + - { action: DNS/ACCEPT, source: admin, dest: fw } # - { action: ACCEPT, source: inet, dest: fw, proto: tcp, dest_port: "443,8006" } - PING Rules - { action: Ping/ACCEPT, source: all, dest: all } @@ -78,6 +79,7 @@ - { name: INETIF, value: ens3 } - { name: LANIF, value: ens4 } - { name: DMZIF, value: ens5 } + - { name: ADMINIF, value: ens6 } - { name: REPOSERVER, value: 172.17.100.122} - { name: LINUXSHARE, value: 192.168.100.23} - { name: VIDEOSERVER, value: 172.17.100.121} From bc0d4035945fd92b0448e8503dd87b8dd324babd Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 15:08:54 +0200 Subject: [PATCH 11/15] use new admin ip in scenario 1 --- ansible/run/scenario1/templates/scenario_1_c_a.j2 | 3 ++- ansible/run/scenario1/templates/scenario_1_c_b.j2 | 2 +- ansible/run/scenario1/templates/scenario_1_c_c.j2 | 2 +- ansible/run/scenario1/templates/scenario_1_d_a.j2 | 3 ++- ansible/run/scenario1/templates/scenario_1_d_b.j2 | 3 ++- ansible/run/scenario1/templates/scenario_1_d_c.j2 | 2 +- 6 files changed, 9 insertions(+), 6 deletions(-) diff --git a/ansible/run/scenario1/templates/scenario_1_c_a.j2 b/ansible/run/scenario1/templates/scenario_1_c_a.j2 index 3eb9e1f..1efa0cd 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_a.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_a.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -131,7 +132,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_c_b.j2 b/ansible/run/scenario1/templates/scenario_1_c_b.j2 index 2aa689a..9daba80 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_b.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_b.j2 @@ -131,7 +131,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: "192.42.2.42" diff --git a/ansible/run/scenario1/templates/scenario_1_c_c.j2 b/ansible/run/scenario1/templates/scenario_1_c_c.j2 index e27799c..12591ff 100644 --- a/ansible/run/scenario1/templates/scenario_1_c_c.j2 +++ b/ansible/run/scenario1/templates/scenario_1_c_c.j2 @@ -131,7 +131,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 reboot" | at now + 2 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: "192.42.2.42" diff --git a/ansible/run/scenario1/templates/scenario_1_d_a.j2 b/ansible/run/scenario1/templates/scenario_1_d_a.j2 index a700b50..bede630 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_a.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_a.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -132,7 +133,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_d_b.j2 b/ansible/run/scenario1/templates/scenario_1_d_b.j2 index f544349..ae4d3c2 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_b.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_b.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 $DOMAIN: aecid-testbed.com $USER: aecid $DNS_LIST: /usr/local/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt @@ -132,7 +133,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 diff --git a/ansible/run/scenario1/templates/scenario_1_d_c.j2 b/ansible/run/scenario1/templates/scenario_1_d_c.j2 index 1899e1c..4b1848e 100644 --- a/ansible/run/scenario1/templates/scenario_1_d_c.j2 +++ b/ansible/run/scenario1/templates/scenario_1_d_c.j2 @@ -132,7 +132,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@172.17.100.121 '. /etc/bash_completion'" | at now + 10 minute - hostname: 192.168.100.222 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.1.232 From 6258b3295b639b0dc7f45fef407e0cff781bc102 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 15:09:56 +0200 Subject: [PATCH 12/15] use new admin ip in scenario 3 --- ansible/run/scenario3/templates/scenario_3_c.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/run/scenario3/templates/scenario_3_c.j2 b/ansible/run/scenario3/templates/scenario_3_c.j2 index db5751b..2ce93b7 100644 --- a/ansible/run/scenario3/templates/scenario_3_c.j2 +++ b/ansible/run/scenario3/templates/scenario_3_c.j2 @@ -7,6 +7,7 @@ vars: $SERVER_ADDRESS: 192.42.0.254 $ATTACKER_ADDRESS: 192.42.1.174 $DNS_SERVER: 192.42.0.233 + $ADMIN_SERVER: 10.12.0.222 commands: - type: shell @@ -202,7 +203,7 @@ commands: - type: ssh cmd: echo "ssh -i .ssh/rootkey -o StrictHostKeyChecking=no root@192.168.100.23 \"apt update && apt install -y healthcheckd\"" | at now + 2 minute - hostname: 192.168.100.223 + hostname: $ADMIN_SERVER username: aecid password: aecid jmp_hostname: 192.42.2.42 From 63c2700e1101e3203355550331527f70f4f275a9 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 18:12:07 +0200 Subject: [PATCH 13/15] dmasq --- packer/firewall/playbook/main.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/packer/firewall/playbook/main.yaml b/packer/firewall/playbook/main.yaml index 05fbce1..8ff1b07 100644 --- a/packer/firewall/playbook/main.yaml +++ b/packer/firewall/playbook/main.yaml @@ -11,6 +11,13 @@ # pass: aecid aeciduser_pass: "$6$9AqxTPJqYsFXwgPN$xAC4y1Vndk00EaBCuFcJC37BYDYYVAgt9SHymg15KSdKddZnwG.SsQaJvHarH4DYQj3tuboeLa4G5EfL7itcC0" - role: suricata + - role: dnsmasq + vars: + dnsmasq_config: + - { name: "logging", content: "log-queries" } + - { name: "puppetserver", content: "address=/puppet.{{ internal_domain }}/172.17.100.122" } + - { name: "linuxshare", content: "address=/linuxshare.{{ internal_domain }}/192.168.100.23" } + - { name: "kafka", content: "address=/kafka.{{ internal_domain }}/192.168.100.10" } dnsmasq_systemd_resolved_disable: true - role: shorewall vars: From 19df3d2ddbc66d00131c6d2e3b538f88aa76c185 Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Tue, 13 Aug 2024 19:56:13 +0200 Subject: [PATCH 14/15] remove admin and user net --- terragrunt/bootstrap/module/main.tf | 89 ++----------------- terragrunt/bootstrap/module/variables.tf | 11 --- terragrunt/repository/module/adminpc.tf | 4 +- .../repository/module/adminpc_variables.tf | 5 -- terragrunt/videoserver/module/adminpc.tf | 4 +- .../videoserver/module/adminpc_variables.tf | 6 -- 6 files changed, 12 insertions(+), 107 deletions(-) diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 22a7f0a..92ada15 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -130,60 +130,6 @@ resource "openstack_networking_subnet_v2" "dmz_subnet" { } } -################################################################### -# -# CREATE NETWORK "ADMIN" -# -resource "openstack_networking_network_v2" "admin" { - name = "admin" - port_security_enabled = "false" - admin_state_up = "true" -} - -resource "openstack_networking_subnet_v2" "admin_subnet" { - name = "admin_subnet" - network_id = "${openstack_networking_network_v2.admin.id}" - cidr = var.admin_cidr - ip_version = 4 - gateway_ip = cidrhost(var.admin_cidr,254) - dns_nameservers = [cidrhost(var.admin_cidr,254)] - - - # make the allocation_pool smaller for gateway_ip - allocation_pool { - start = cidrhost(var.admin_cidr,20) - end = cidrhost(var.admin_cidr,200) - } -} - - -################################################################### -# -# CREATE NETWORK "USER" -# -resource "openstack_networking_network_v2" "user" { - name = "user" - port_security_enabled = "false" - admin_state_up = "true" -} - -resource "openstack_networking_subnet_v2" "user_subnet" { - name = "user_subnet" - network_id = "${openstack_networking_network_v2.user.id}" - cidr = var.user_cidr - ip_version = 4 - gateway_ip = cidrhost(var.user_cidr,254) - dns_nameservers = [cidrhost(var.user_cidr,254)] - - - # make the allocation_pool smaller for gateway_ip - allocation_pool { - start = cidrhost(var.user_cidr,20) - end = cidrhost(var.user_cidr,200) - } -} - - #################################################################### # # CREATE INSTANCE for "Internet-Firewall" @@ -234,23 +180,11 @@ resource "openstack_compute_instance_v2" "inet-fw" { fixed_ip_v4 = cidrhost(var.dmz_cidr,254) } - network { - name = "admin" - fixed_ip_v4 = cidrhost(var.admin_cidr,254) - } - - network { - name = "user" - fixed_ip_v4 = cidrhost(var.user_cidr,254) - } - depends_on = [ openstack_compute_instance_v2.inet-dns, openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan, - openstack_networking_network_v2.admin, - openstack_networking_network_v2.user, ] } @@ -282,12 +216,17 @@ data "openstack_images_image_v2" "mgmt-image" { locals { mgmt_internet_ip = cidrhost(var.inet_cidr, 201) # Static IP for mgmt host in internet network +} + +locals { mgmt_lan_ip = cidrhost(var.lan_cidr, 201) # Static IP for mgmt host in lan network +} + +locals { mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in dmz network - mgmt_admin_ip = cidrhost(var.admin_cidr, 201) # Static IP for mgmt host in admin network - mgmt_user_ip = cidrhost(var.user_cidr, 201) # Static IP for mgmt host in user network } + resource "openstack_compute_instance_v2" "mgmt" { name = "mgmt" flavor_name = var.mgmt_flavor @@ -310,24 +249,12 @@ resource "openstack_compute_instance_v2" "mgmt" { fixed_ip_v4 = local.mgmt_dmz_ip } - network { - name = "admin" - fixed_ip_v4 = local.mgmt_admin_ip - } - - network { - name = "user" - fixed_ip_v4 = local.mgmt_user_ip - } - depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan, - openstack_networking_network_v2.admin, - openstack_networking_network_v2.user - ] + ] } data "openstack_networking_port_v2" "mgmt"{ diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index f41d755..41f9277 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -88,14 +88,3 @@ variable "dmz_cidr" { default = "172.17.100.0/24" } -variable "admin_cidr" { - type = string - description = "CIDR of the admin subnet" - default = "10.12.0.0/24" -} - -variable "user_cidr" { - type = string - description = "CIDR of the user subnet" - default = "10.11.0.0/16" -} diff --git a/terragrunt/repository/module/adminpc.tf b/terragrunt/repository/module/adminpc.tf index 25d8d13..a2236f0 100644 --- a/terragrunt/repository/module/adminpc.tf +++ b/terragrunt/repository/module/adminpc.tf @@ -38,8 +38,8 @@ resource "openstack_compute_instance_v2" "adminpc2" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "admin" - fixed_ip_v4 = cidrhost(var.admin_cidr,223) + name = "lan" + fixed_ip_v4 = cidrhost(var.lan_cidr,223) } } diff --git a/terragrunt/repository/module/adminpc_variables.tf b/terragrunt/repository/module/adminpc_variables.tf index c4a4be6..f2db740 100644 --- a/terragrunt/repository/module/adminpc_variables.tf +++ b/terragrunt/repository/module/adminpc_variables.tf @@ -15,8 +15,3 @@ variable "adminpc_userdata" { default = null } -variable "admin_cidr" { - type = string - description = "CIDR of the admin subnet" - default = "10.12.0.0/24" -} \ No newline at end of file diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index e3d2832..a879f2f 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -35,8 +35,8 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "admin" - fixed_ip_v4 = cidrhost(var.admin_cidr,222) + name = "lan" + fixed_ip_v4 = cidrhost(var.lan_cidr,222) } } diff --git a/terragrunt/videoserver/module/adminpc_variables.tf b/terragrunt/videoserver/module/adminpc_variables.tf index 0f74207..d7a10bc 100644 --- a/terragrunt/videoserver/module/adminpc_variables.tf +++ b/terragrunt/videoserver/module/adminpc_variables.tf @@ -14,9 +14,3 @@ variable "adminpc_userdata" { description = "Userdata for the adminpc virtual machine" default = null } - -variable "admin_cidr" { - type = string - description = "CIDR of the admin subnet" - default = "10.12.0.0/24" -} From 16baa42a711750b1f6c5ca3a412fc6a3d1a2d91e Mon Sep 17 00:00:00 2001 From: thorinaboenke Date: Wed, 5 Feb 2025 17:53:26 +0100 Subject: [PATCH 15/15] add admin network --- terragrunt/bootstrap/module/main.tf | 93 +++++++++++++------ terragrunt/bootstrap/module/variables.tf | 26 ++---- terragrunt/repository/module/adminpc.tf | 4 +- .../repository/module/adminpc_variables.tf | 5 + .../repository/module/scripts/default.yml | 1 + terragrunt/videoserver/module/adminpc.tf | 4 +- .../videoserver/module/adminpc_variables.tf | 6 ++ 7 files changed, 89 insertions(+), 50 deletions(-) diff --git a/terragrunt/bootstrap/module/main.tf b/terragrunt/bootstrap/module/main.tf index 92ada15..3c8b81d 100644 --- a/terragrunt/bootstrap/module/main.tf +++ b/terragrunt/bootstrap/module/main.tf @@ -26,7 +26,7 @@ resource "openstack_networking_network_v2" "internet" { resource "openstack_networking_subnet_v2" "internet_subnet" { name = "internet_subnet" network_id = "${openstack_networking_network_v2.internet.id}" - cidr = var.inet_cidr + cidr = var.subnet_cidrs["inet"] dns_nameservers = var.inet_dns ip_version = 4 } @@ -70,7 +70,7 @@ resource "openstack_compute_instance_v2" "inet-dns" { network { name = "internet" - fixed_ip_v4 = cidrhost(var.inet_cidr,514) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],514) } depends_on = [ @@ -92,15 +92,15 @@ resource "openstack_networking_network_v2" "lan" { resource "openstack_networking_subnet_v2" "lan_subnet" { name = "lan_subnet" network_id = "${openstack_networking_network_v2.lan.id}" - cidr = var.lan_cidr + cidr = var.subnet_cidrs["lan"] ip_version = 4 - gateway_ip = cidrhost(var.lan_cidr,254) - dns_nameservers = [cidrhost(var.lan_cidr,254)] + gateway_ip = cidrhost(var.subnet_cidrs["lan"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["lan"],254)] # make the allocation_pool smaller for gateway_ip allocation_pool { - start = cidrhost(var.lan_cidr,20) - end = cidrhost(var.lan_cidr,200) + start = cidrhost(var.subnet_cidrs["lan"],20) + end = cidrhost(var.subnet_cidrs["lan"],200) } } @@ -117,19 +117,46 @@ resource "openstack_networking_network_v2" "dmz" { resource "openstack_networking_subnet_v2" "dmz_subnet" { name = "dmz_subnet" network_id = "${openstack_networking_network_v2.dmz.id}" - cidr = var.dmz_cidr + cidr = var.subnet_cidrs["dmz"] ip_version = 4 - gateway_ip = cidrhost(var.dmz_cidr,254) - dns_nameservers = [cidrhost(var.dmz_cidr,254)] + gateway_ip = cidrhost(var.subnet_cidrs["dmz"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["dmz"],254)] # make the allocation_pool smaller for gateway_ip allocation_pool { - start = cidrhost(var.dmz_cidr,20) - end = cidrhost(var.dmz_cidr,200) + start = cidrhost(var.subnet_cidrs["dmz"],20) + end = cidrhost(var.subnet_cidrs["dmz"],200) } } +################################################################### +# +# CREATE NETWORK "ADMIN" +# +resource "openstack_networking_network_v2" "admin" { + name = "admin" + port_security_enabled = "false" + admin_state_up = "true" +} + +resource "openstack_networking_subnet_v2" "admin_subnet" { + name = "admin_subnet" + network_id = "${openstack_networking_network_v2.admin.id}" + cidr = var.subnet_cidrs["admin"] + ip_version = 4 + gateway_ip = cidrhost(var.subnet_cidrs["admin"],254) + dns_nameservers = [cidrhost(var.subnet_cidrs["admin"],254)] + + + # make the allocation_pool smaller for gateway_ip + allocation_pool { + start = cidrhost(var.subnet_cidrs["admin"],20) + end = cidrhost(var.subnet_cidrs["admin"],200) + } +} + + #################################################################### # # CREATE INSTANCE for "Internet-Firewall" @@ -167,17 +194,22 @@ resource "openstack_compute_instance_v2" "inet-fw" { network { name = "internet" - fixed_ip_v4 = cidrhost(var.inet_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["inet"],254) } network { name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["lan"],254) } network { name = "dmz" - fixed_ip_v4 = cidrhost(var.dmz_cidr,254) + fixed_ip_v4 = cidrhost(var.subnet_cidrs["dmz"],254) + } + + network { + name = "admin" + fixed_ip_v4 = cidrhost(var.subnet_cidrs["admin"],254) } depends_on = [ @@ -185,6 +217,7 @@ resource "openstack_compute_instance_v2" "inet-fw" { openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin ] } @@ -215,18 +248,14 @@ data "openstack_images_image_v2" "mgmt-image" { } locals { - mgmt_internet_ip = cidrhost(var.inet_cidr, 201) # Static IP for mgmt host in internet network -} - -locals { - mgmt_lan_ip = cidrhost(var.lan_cidr, 201) # Static IP for mgmt host in lan network -} - -locals { - mgmt_dmz_ip = cidrhost(var.dmz_cidr, 201) # Static IP for mgmt host in dmz network + mgmt_ips = { + internet = cidrhost(var.subnet_cidrs["inet"], 201) + lan = cidrhost(var.subnet_cidrs["lan"], 201) + dmz = cidrhost(var.subnet_cidrs["dmz"], 201) + admin = cidrhost(var.subnet_cidrs["admin"], 201) + } } - resource "openstack_compute_instance_v2" "mgmt" { name = "mgmt" flavor_name = var.mgmt_flavor @@ -236,29 +265,35 @@ resource "openstack_compute_instance_v2" "mgmt" { network { name = "internet" - fixed_ip_v4 = local.mgmt_internet_ip + fixed_ip_v4 = local.mgmt_ips.internet } network { name = "lan" - fixed_ip_v4 = local.mgmt_lan_ip + fixed_ip_v4 = local.mgmt_ips.lan } network { name = "dmz" - fixed_ip_v4 = local.mgmt_dmz_ip + fixed_ip_v4 = local.mgmt_ips.dmz + } + + network { + name = "admin" + fixed_ip_v4 = local.mgmt_ips.admin } depends_on = [ openstack_networking_network_v2.dmz, openstack_networking_network_v2.internet, openstack_networking_network_v2.lan, + openstack_networking_network_v2.admin, ] } data "openstack_networking_port_v2" "mgmt"{ - fixed_ip = local.mgmt_internet_ip + fixed_ip = local.mgmt_ips.internet depends_on = [ openstack_compute_instance_v2.mgmt ] diff --git a/terragrunt/bootstrap/module/variables.tf b/terragrunt/bootstrap/module/variables.tf index 41f9277..76b53fe 100644 --- a/terragrunt/bootstrap/module/variables.tf +++ b/terragrunt/bootstrap/module/variables.tf @@ -26,12 +26,6 @@ variable "ext_router" { description = "name of the external router" } -variable "inet_cidr" { - type = string - description = "CIDR of the internet subnet" - default = "192.42.0.0/16" -} - variable "inetdns_flavor" { type = string description = "flavor of the internet dns server" @@ -76,15 +70,13 @@ variable "inet_dns" { default = ["1.1.1.1","8.8.8.8"] } -variable "lan_cidr" { - type = string - description = "CIDR of the lan subnet" - default = "192.168.100.0/24" -} - -variable "dmz_cidr" { - type = string - description = "CIDR of the dmz subnet" - default = "172.17.100.0/24" +variable "subnet_cidrs" { + type = map(string) + description = "CIDRs for various subnets" + default = { + inet = "192.42.0.0/16" + lan = "192.168.100.0/24" + dmz = "172.17.100.0/24" + admin = "10.12.100.0/24" + } } - diff --git a/terragrunt/repository/module/adminpc.tf b/terragrunt/repository/module/adminpc.tf index a2236f0..25d8d13 100644 --- a/terragrunt/repository/module/adminpc.tf +++ b/terragrunt/repository/module/adminpc.tf @@ -38,8 +38,8 @@ resource "openstack_compute_instance_v2" "adminpc2" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,223) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,223) } } diff --git a/terragrunt/repository/module/adminpc_variables.tf b/terragrunt/repository/module/adminpc_variables.tf index f2db740..c4a4be6 100644 --- a/terragrunt/repository/module/adminpc_variables.tf +++ b/terragrunt/repository/module/adminpc_variables.tf @@ -15,3 +15,8 @@ variable "adminpc_userdata" { default = null } +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" +} \ No newline at end of file diff --git a/terragrunt/repository/module/scripts/default.yml b/terragrunt/repository/module/scripts/default.yml index 31e0af9..27d633a 100644 --- a/terragrunt/repository/module/scripts/default.yml +++ b/terragrunt/repository/module/scripts/default.yml @@ -7,5 +7,6 @@ system_info: bootcmd: - echo "nameserver ${dns_server_address}" > /etc/resolv.conf runcmd: + - [echo, "nameserver ${dns_server_address}", >, /etc/resolv.conf] - [apt-get, update] - [apt-get, install, -y, python3] diff --git a/terragrunt/videoserver/module/adminpc.tf b/terragrunt/videoserver/module/adminpc.tf index a879f2f..e3d2832 100644 --- a/terragrunt/videoserver/module/adminpc.tf +++ b/terragrunt/videoserver/module/adminpc.tf @@ -35,8 +35,8 @@ resource "openstack_compute_instance_v2" "adminpc" { user_data = local.ext_adminpc_userdata_file == null ? null : data.template_cloudinit_config.cloudinitadminpc[0].rendered network { - name = "lan" - fixed_ip_v4 = cidrhost(var.lan_cidr,222) + name = "admin" + fixed_ip_v4 = cidrhost(var.admin_cidr,222) } } diff --git a/terragrunt/videoserver/module/adminpc_variables.tf b/terragrunt/videoserver/module/adminpc_variables.tf index d7a10bc..0f74207 100644 --- a/terragrunt/videoserver/module/adminpc_variables.tf +++ b/terragrunt/videoserver/module/adminpc_variables.tf @@ -14,3 +14,9 @@ variable "adminpc_userdata" { description = "Userdata for the adminpc virtual machine" default = null } + +variable "admin_cidr" { + type = string + description = "CIDR of the admin subnet" + default = "10.12.0.0/24" +}