···
services.nebula.networks.smoke = {
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
59
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
78
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "any"; } ];
inbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
98
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
staticHostMap = { "10.0.100.1" = [ "192.168.1.1:4242" ]; };
lighthouses = [ "10.0.100.1" ];
118
+
relays = [ "10.0.100.1" ];
outbound = [ { port = "any"; proto = "any"; host = "lighthouse"; } ];
inbound = [ { port = "any"; proto = "any"; host = "any"; } ];
···
167
+
getPublicIp = node: ''
168
+
${node}.succeed("ip --brief addr show eth1 | awk '{print $3}' | tail -n1 | cut -d/ -f1").strip()
171
+
# Never do this for anything security critical! (Thankfully it's just a test.)
172
+
# Restart Nebula right after the mutual block and/or restore so the state is fresh.
173
+
blockTrafficBetween = nodeA: nodeB: ''
174
+
node_a = ${getPublicIp nodeA}
175
+
node_b = ${getPublicIp nodeB}
176
+
${nodeA}.succeed("iptables -I INPUT -s " + node_b + " -j DROP")
177
+
${nodeB}.succeed("iptables -I INPUT -s " + node_a + " -j DROP")
178
+
${nodeA}.systemctl("restart nebula@smoke.service")
179
+
${nodeB}.systemctl("restart nebula@smoke.service")
181
+
allowTrafficBetween = nodeA: nodeB: ''
182
+
node_a = ${getPublicIp nodeA}
183
+
node_b = ${getPublicIp nodeB}
184
+
${nodeA}.succeed("iptables -D INPUT -s " + node_b + " -j DROP")
185
+
${nodeB}.succeed("iptables -D INPUT -s " + node_a + " -j DROP")
186
+
${nodeA}.systemctl("restart nebula@smoke.service")
187
+
${nodeB}.systemctl("restart nebula@smoke.service")
# Create the certificate and sign the lighthouse's keys.
${setUpPrivateKey "lighthouse"}
···
node3.succeed("ping -c3 10.0.100.1")
node3.succeed("ping -c3 10.0.100.2")
240
+
# block node3 <-> node2, and node3 -> node2 should still work.
241
+
${blockTrafficBetween "node3" "node2"}
242
+
node3.succeed("ping -c10 10.0.100.2")
243
+
${allowTrafficBetween "node3" "node2"}
244
+
node3.succeed("ping -c10 10.0.100.2")
# node4 can ping the lighthouse but not node2 or node3
node4.succeed("ping -c3 10.0.100.1")
node4.fail("ping -c3 10.0.100.2")
···
# node2 can ping node3 now that node3 pinged it first
node2.succeed("ping -c3 10.0.100.3")
254
+
# block node2 <-> node3, and node2 -> node3 should still work.
255
+
${blockTrafficBetween "node2" "node3"}
256
+
node3.succeed("ping -c10 10.0.100.2")
257
+
node2.succeed("ping -c10 10.0.100.3")
258
+
${allowTrafficBetween "node2" "node3"}
259
+
node3.succeed("ping -c10 10.0.100.2")
260
+
node2.succeed("ping -c10 10.0.100.3")
# node4 can ping node2 if node2 pings it first
263
+
node2.succeed("ping -c3 10.0.100.4")
264
+
node4.succeed("ping -c3 10.0.100.2")
266
+
# block node4 <-> node2, and node2 <-> node4 should still work.
267
+
${blockTrafficBetween "node2" "node4"}
268
+
node2.succeed("ping -c10 10.0.100.4")
269
+
node4.succeed("ping -c10 10.0.100.2")
270
+
${allowTrafficBetween "node2" "node4"}
271
+
node2.succeed("ping -c10 10.0.100.4")
272
+
node4.succeed("ping -c10 10.0.100.2")
274
+
# block lighthouse <-> node3 and node2 <-> node3; node3 won't get to node2
275
+
${blockTrafficBetween "node3" "lighthouse"}
276
+
${blockTrafficBetween "node3" "node2"}
277
+
node3.fail("ping -c3 10.0.100.2")
278
+
${allowTrafficBetween "node3" "lighthouse"}
279
+
${allowTrafficBetween "node3" "node2"}
280
+
node3.succeed("ping -c3 10.0.100.2")
282
+
# block lighthouse <-> node2, node2 <-> node3, and node2 <-> node4; it won't get to node3 or node4
283
+
${blockTrafficBetween "node2" "lighthouse"}
284
+
${blockTrafficBetween "node2" "node3"}
285
+
${blockTrafficBetween "node2" "node4"}
286
+
node3.fail("ping -c3 10.0.100.2")
287
+
node2.fail("ping -c3 10.0.100.3")
288
+
node2.fail("ping -c3 10.0.100.4")
289
+
${allowTrafficBetween "node2" "lighthouse"}
290
+
${allowTrafficBetween "node2" "node3"}
291
+
${allowTrafficBetween "node2" "node4"}
292
+
node3.succeed("ping -c3 10.0.100.2")
293
+
node2.succeed("ping -c3 10.0.100.3")
294
+
node2.succeed("ping -c3 10.0.100.4")
296
+
# block lighthouse <-> node4 and node4 <-> node2; it won't get to node2
297
+
${blockTrafficBetween "node4" "lighthouse"}
298
+
${blockTrafficBetween "node4" "node2"}
299
+
node2.fail("ping -c3 10.0.100.4")
300
+
node4.fail("ping -c3 10.0.100.2")
301
+
${allowTrafficBetween "node4" "lighthouse"}
302
+
${allowTrafficBetween "node4" "node2"}
node2.succeed("ping -c3 10.0.100.4")
node4.succeed("ping -c3 10.0.100.2")
pyrox.dev