Mininet OVS 6 /SDN+NFV(FireWall)

# Topology ![](https://hackmd.io/_uploads/Sk3HLiGt3.png) SDN : Change the routing path NFV : Network function virtualization e.g(FireWall, IDS, 內容檢查器...) ## Node Configuration ``` h1 = net.addHost('h1', ip="10.0.0.1/24", mac="00:00:00:00:00:01") h2 = net.addHost('h2', ip="10.0.0.2/24", mac="00:00:00:00:00:02") h3 = net.addHost('h3', ip="10.0.0.3/24", mac="00:00:00:00:00:03") s1 = net.addSwitch('s1') c0 = net.addController('c0', controller=RemoteController) ``` ## H3 Firewall setting ``` echo 1 > /proc/sys/net/ipv4/ip_forward ``` Eanble Forwarding Mode ``` iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT iptables -A FORWARD -p tcp --destination-port 80 -j DROP ``` Accept from 443 (TCP connection)-> 進行Forwarding DROp form 80 (TCP connection) ## S1 Flow Configuration ### Default Routing Forwarding ``` ovs-ofctl add-flow s1 priority=1,in_port=1,actions=output:2 ovs-ofctl add-flow s1 priority=1,in_port=2,actions=output:1 ``` ### Forwarding 到 H3(NFV:FireWall) ``` ovs-ofctl add-flow s1 priority=10,ip,in_port=1,actions=mod_dl_dst=00:00:00:00:00:03,output:3 ovs-ofctl add-flow s1 priority=10,ip,in_port=2,actions=mod_dl_dst=00:00:00:00:00:03,output:3 ``` 這裡flow 只改 Dst Mac host interface 看MAc 收packet 保留 IP 來讓H3 可以forward 回原本的Host ### H3 Forward H1,H2 ``` ovs-ofctl add-flow s1 priority=10,ip,in_port=3,nw_dst=10.0.0.1,actions=mod_dl_dst=00:00:00:00:00:01,output:1 ovs-ofctl add-flow s1 priority=10,ip,in_port=3,nw_dst=10.0.0.2,actions=mod_dl_dst=00:00:00:00:00:02,output:2 ``` ## Script ```python rom mininet.cli import CLI from mininet.net import Mininet from mininet.link import Link,TCLink,Intf from mininet.node import Controller,RemoteController net = Mininet(link=TCLink) h1 = net.addHost('h1',ip ="10.0.0.1/24", mac="00.00.00.00.00.01") h2 = net.addHost('h2', ip="10.0.0.2/24", mac="00:00:00:00:00:02") h3 = net.addHost('h3', ip="10.0.0.3/24", mac="00:00:00:00:00:03") s1 = net.addSwitch('s1') c0 = net.addController('c0', controller=RemoteController) net.addLink(h1, s1) net.addLink(h2, s1) net.addLink(h3, s1) net.build() c0.start() s1.start([c0]) #ARP (static setting) h1.cmd("arp -s 10.0.0.2 00:00:00:00:00:02") h1.cmd("arp -s 10.0.0.3 00:00:00:00:00:03") h2.cmd("arp -s 10.0.0.1 00:00:00:00:00:01") h2.cmd("arp -s 10.0.0.3 00:00:00:00:00:03") h3.cmd("arp -s 10.0.0.1 00:00:00:00:00:01") h3.cmd("arp -s 10.0.0.2 00:00:00:00:00:02") h3.cmd("echo 1 > /proc/sys/net/ipv4/ip_forward") h3.cmd("iptables -A FORWARD -p tcp --destination-port 8080 -j ACCEPT") h3.cmd("iptables -A FORWARD -p tcp --destination-port 80 -j DROP") s1.cmd("ovs-ofctl add-flow s1 priority=1,in_port=1,actions=output:2") s1.cmd("ovs-ofctl add-flow s1 priority=1,in_port=2,actions=output:1") s1.cmd("ovs-ofctl add-flow s1 priority=10,ip,in_port=1,actions=mod_dl_dst=00:00:00:00:00:03,output:3") s1.cmd("ovs-ofctl add-flow s1 priority=10,ip,in_port=2,actions=mod_dl_dst=00:00:00:00:00:03,output:3") s1.cmd("ovs-ofctl add-flow s1 priority=10,ip,in_port=3,nw_dst=10.0.0.2,actions=mod_dl_dst=00:00:00:00:00:02,output:2") s1.cmd("ovs-ofctl add-flow s1 priority=10,ip,in_port=3,nw_dst=10.0.0.1,actions=mod_dl_dst=00:00:00:00:00:01,output:1") CLI(net) net.stop() ``` # Test Running H2 HTTP server for testing ``` python3 -m http.server 80 python3 -m http.server 443 ``` ![](https://hackmd.io/_uploads/r1mky3MK3.png) H1 curl H2 port 80 & 443 ![](https://hackmd.io/_uploads/ry1sY3MY3.png) 443(success !!) 80(Connect fail !!)