{"id":97,"date":"2020-01-27T06:09:49","date_gmt":"2020-01-27T06:09:49","guid":{"rendered":"https:\/\/www.vandervecken.com\/faucet\/?p=97"},"modified":"2020-01-27T06:11:28","modified_gmt":"2020-01-27T06:11:28","slug":"faking-services-on-an-entire-ip-subnet-part-ii-l3-nat-and-fake-services-in-docker","status":"publish","type":"post","link":"https:\/\/faucet.vandervecken.com\/index.php\/2020\/01\/27\/faking-services-on-an-entire-ip-subnet-part-ii-l3-nat-and-fake-services-in-docker\/","title":{"rendered":"faking services on an entire IP subnet &#8211; part II (L3 NAT and fake services in docker)"},"content":{"rendered":"\n<p>In our last <a href=\"https:\/\/www.vandervecken.com\/faucet\/index.php\/2020\/01\/24\/faking-services-on-an-entire-ip-subnet\/\">post<\/a>, we used a new L2 OVS proxy to fake TCP services on an entire IP subnet. We used network namespaces for isolation. However, using namespaces can make running fake services under docker somewhat inconvenient. So this time around, we&#8217;re going to have pipette do L3 NAT for us as well, so we can just attach services as we please. We&#8217;re going to fake a webserver on port 80 (as docker based webservers are easy to come by).<\/p>\n\n\n\n<p>We are using the same physical setup as last time. However, we are now using a slightly different FAUCET ACL. We are going to work with TCP port 80 only, and only on 192.168.2.0\/24. Note that we are also instructing FAUCET to always add a VLAN VID tag when it dispatches the intercepted traffic to the coprocessor (not strictly necessary but does make things more consistent).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>acls:  \n  coprocessssh:\n  - rule:\n      dl_type: 0x800\n      ip_proto: 6\n      ipv4_src: 192.168.2.0\/24\n      ipv4_dst: 192.168.2.0\/24\n      tcp_dst: 80\n      actions:\n        output:\n          vlan_vid: 2\n          ports: [18]\n  - rule:\n      actions:\n        allow: 1\n<\/code><\/pre>\n\n\n\n<p>We&#8217;ll also need a new version of <a href=\"https:\/\/github.com\/anarkiwi\/pipette\/blob\/fb10ad7e6d3c677004082e5308f0b9526cdf45bd\/pipette.py\">pipette<\/a> &#8211; this one is a bit smarter &#8211; it can do L3 NAT. Specifically, it will NAT 192.168.2.0\/24 to 192.168.101.0\/24 on the coprocessor. That way we can just run services that listen on 192.168.101.1\/24, and they&#8217;ll appear in the real 192.168.2.0\/24 network, magically with the right MAC addresses.<\/p>\n\n\n\n<p>We&#8217;ll start pipette like this:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#!\/bin\/bash\n\n# interface connected to FAUCET coprocessor port.\nCOPROINT=enx0023565c8859\n# interface that will be created for fake services to run on.\nFAKEINT=fake0\n# Reserved MAC addresses for fake services to use to talk to clients.\nFAKEHW=0e:00:00:00:00:66\nFAKECLIENTHW=0e:00:00:00:00:67\n# address fake services will be run on (will be proxied from real IPs)\nFAKEIP=192.168.101.1\/24\n# OVS bridge name\nBR=copro0\n# pipette OF port\nOF=6699\n\n# Configure pipette's OVS switch.\n# Remove all IP addresses, disable IPv6.\nip link add dev $FAKEINT type veth peer name ovs$FAKEINT\nfor i in $COPROINT $FAKEINT ovs$FAKEINT ovs-system ; do\n  echo 1 > \/proc\/sys\/net\/ipv6\/conf\/$i\/disable_ipv6\n  ifconfig $i 0.0.0.0\ndone\nifconfig $COPROINT up\nifconfig ovs$FAKEINT up\nifconfig $FAKEINT hw ether $FAKEHW $FAKEIP up\novs-vsctl del-br $BR \novs-vsctl add-br $BR\novs-ofctl del-flows $BR\nfor i in $COPROINT ovs$FAKEINT ; do\n  ovs-vsctl add-port $BR $i\ndone\novs-vsctl set-controller $BR tcp:127.0.0.1:$OF\n\n# Run pipette.\nryu-manager pipette.py --ofp-tcp-listen-port $OF  --verbose\n<\/code><\/pre>\n\n\n\n<p>Now, we can start a webserver on 192.168.101.1:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pi@coprocessor:~ $ docker run -d -p 192.168.101.1:80:80 hypriot\/rpi-busybox-httpd\n89425b1198b3eb30267f05fa10bc3691efc7b36710297e4695030705ee09c9bb\npi@coprocessor:~ $ docker ps\nCONTAINER ID        IMAGE                       COMMAND                  CREATED             STATUS              PORTS                      NAMES\n89425b1198b3        hypriot\/rpi-busybox-httpd   \"\/bin\/busybox httpd \u2026\"   11 seconds ago      Up 9 seconds        192.168.101.1:80->80\/tcp   keen_goldberg\n<\/code><\/pre>\n\n\n\n<p>Now all it remains for us to do, is from outside the coprocessor, try to access the webserver &#8220;allegedly&#8221; running on 192.168.2.1:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>pi@pi8021x:~ $ wget -q -O- 192.168.2.1 80\n&lt;html>\n&lt;head>&lt;title>Pi armed with Docker by Hypriot&lt;\/title>\n  &lt;body style=\"width: 100%; background-color: black;\">\n    &lt;div id=\"main\" style=\"margin: 100px auto 0 auto; width: 800px;\">\n      &lt;img src=\"pi_armed_with_docker.jpg\" alt=\"pi armed with docker\" style=\"width: 800px\">\n    &lt;\/div>\n  &lt;\/body>\n&lt;\/html>\n<\/code><\/pre>\n\n\n\n<p>With pipette now doing L3 NAT, we can start pretty much whatever services we like listening on fake0, and provided we use the right FAUCET ACL to intercept the traffic, those services will appear in the dataplane. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>In our last post, we used a new L2 OVS proxy to fake TCP services on an entire IP subnet. We used network namespaces for isolation. However, using namespaces can make running fake services under docker somewhat inconvenient. So this time around, we&#8217;re going to have pipette do L3 NAT for us as well, so &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/faucet.vandervecken.com\/index.php\/2020\/01\/27\/faking-services-on-an-entire-ip-subnet-part-ii-l3-nat-and-fake-services-in-docker\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;faking services on an entire IP subnet &#8211; part II (L3 NAT and fake services in docker)&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-97","post","type-post","status-publish","format-standard","hentry","category-uncategorised","entry"],"_links":{"self":[{"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/posts\/97","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/comments?post=97"}],"version-history":[{"count":2,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions"}],"predecessor-version":[{"id":99,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/posts\/97\/revisions\/99"}],"wp:attachment":[{"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/media?parent=97"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/categories?post=97"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/faucet.vandervecken.com\/index.php\/wp-json\/wp\/v2\/tags?post=97"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}