Created Tue May, 28 2019 at 12:59PM
While doing some research using a linux bridge to test blocking via iptables I created some vagrant configs for both ubuntu and centos. These should be most of the heavy lifting to get a Centos 7 box up and running with a basic bridge br0
configured. Please note you'll want to create a second VM with a leg in the private network bridge_test
to test with.
The important bits, are that all interfaces that should be bridged (including on other VMs) should have the interface set to promiscuous mode. You will want to load br_netfilter
module if you plan on filtering via iptables/ipset rules.
Copy the following into Vagrantfile
and run vagrant up
.
# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "centos/7"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.11"
# config.vm.network "private_network", ip: "192.168.33.12"
# config.vm.network "public_network", bridge: "en0: Wi-Fi (AirPort)"
config.vm.network "private_network", virtualbox__intnet: "bridge_test"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# config.vm.synced_folder "~/src/localrepo", "/home/vagrant/src/devices", type: "sshfs", sshfs_opts_append: '-o uid=1000 -o gid=1000'
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
config.vm.provider "virtualbox" do |vb|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
vb.customize ["modifyvm", :id, "--audio", "none"]
end
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
yum update
yum -y install rpm-build tcpdump zsh mtr nmap traceroute git bridge-utils
echo 'sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"' > /tmp/install_oh-my-zsh
echo 'DEVICE="br0"
BOOTPROTO="dhcp"
ONBOOT="yes"
TYPE="Bridge"
PERSISTENT_DHCLIENT="no"' > /etc/sysconfig/network-scripts/ifcfg-br0
echo 'DEVICE="eth0"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
BRIDGE=br0' > /etc/sysconfig/network-scripts/ifcfg-eth0
echo 'DEVICE="eth1"
BOOTPROTO="none"
ONBOOT="yes"
TYPE="Ethernet"
BRIDGE=br0' > /etc/sysconfig/network-scripts/ifcfg-eth1
systemctl restart network
pkill dhclient
dhclient br0
SHELL
end
Vagrantfile
:# -*- mode: ruby -*-
# vi: set ft=ruby :
# All Vagrant configuration is done below. The "2" in Vagrant.configure
# configures the configuration version (we support older styles for
# backwards compatibility). Please don't change it unless you know what
# you're doing.
Vagrant.configure("2") do |config|
# The most common configuration options are documented and commented below.
# For a complete reference, please see the online documentation at
# https://docs.vagrantup.com.
# Every Vagrant development environment requires a box. You can search for
# boxes at https://vagrantcloud.com/search.
config.vm.box = "ubuntu/xenial64"
# Disable automatic box update checking. If you disable this, then
# boxes will only be checked for updates when the user runs
# `vagrant box outdated`. This is not recommended.
# config.vm.box_check_update = false
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine. In the example below,
# accessing "localhost:8080" will access port 80 on the guest machine.
# NOTE: This will enable public access to the opened port
# config.vm.network "forwarded_port", guest: 80, host: 8080
# Create a forwarded port mapping which allows access to a specific port
# within the machine from a port on the host machine and only allow access
# via 127.0.0.1 to disable public access
# config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
# Create a private network, which allows host-only access to the machine
# using a specific IP.
# config.vm.network "private_network", ip: "192.168.33.11"
# config.vm.network "private_network", ip: "192.168.33.12"
config.vm.network "private_network", ip: "192.168.33.12", virtualbox__intnet: "bridge_test"
# Create a public network, which generally matched to bridged network.
# Bridged networks make the machine appear as another physical device on
# your network.
# config.vm.network "public_network"
# Share an additional folder to the guest VM. The first argument is
# the path on the host to the actual folder. The second argument is
# the path on the guest to mount the folder. And the optional third
# argument is a set of non-required options.
# config.vm.synced_folder "../data", "/vagrant_data"
# config.vm.synced_folder "~/src/local-repo", "/home/vagrant/src/devices", type: "sshfs", sshfs_opts_append: '-o uid=1000 -o gid=1000'
config.vm.provider "virtualbox" do |vb|
vb.customize ["modifyvm", :id, "--nicpromisc2", "allow-all"]
vb.customize ["modifyvm", :id, "--audio", "none"]
end
# Provider-specific configuration so you can fine-tune various
# backing providers for Vagrant. These expose provider-specific options.
# Example for VirtualBox:
#
# config.vm.provider "virtualbox" do |vb|
# # Display the VirtualBox GUI when booting the machine
# vb.gui = true
#
# # Customize the amount of memory on the VM:
# vb.memory = "1024"
# end
#
# View the documentation for the provider you are using for more
# information on available options.
# Enable provisioning with a shell script. Additional provisioners such as
# Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
# documentation for more information about their specific syntax and use.
config.vm.provision "shell", inline: <<-SHELL
apt-get update
apt-get install -y gdebi zsh mtr nmap traceroute tcpdump bridge-utils git
sudo su - vagrant sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"
echo 'sh -c "$(curl -fsSL https://raw.github.com/robbyrussell/oh-my-zsh/master/tools/install.sh)"' > /tmp/install_oh-my-zsh
pkill dhclient
echo '#!/bin/sh
sudo ip addr flush dev enp0s3
sudo ip addr flush dev enp0s8
sudo brctl addbr br0
sudo brctl addif br0 enp0s8 enp0s3
# sudo brctl addif br0 enp0s8 enp0s9
sudo ip link set dev br0 up
sudo dhclient br0
# sudo ip addr add 192.168.33.10/24 dev br0
ip addr' > /home/vagrant/bridge_up.sh
chmod +x /home/vagrant/bridge_up.sh
SHELL
end
Obviously with the ubuntu vagrant config you'll have to run the bridge_up.sh
shell script to setup the bridge.