{OCI ネットワーキング} VTAPでパケットをミラーリングし、パケットキャプチャをする

https://oracle-japan.github.io/ocitutorials/intermediates/vtap/

前提:
VCN、コンピュートインスタンス → Terraformで作成
NLB、VTAP → CLIで作成

subnet01: パブリック・サブネット 10.0.1.0/24 インターネット・ゲートウェイ
subnet02: プライベート・サブネット 10.0.2.0/24 NATゲートウェイサービス・ゲートウェイ

vm01: クライアント・インスタンス subnet01
vm02: サーバ・インスタンス subnet02 10.0.2.2
vm03: ターゲット・インスタンス subnet02 10.0.2.3

sl01: SSH許可、VCNからの全通信許可
sl02: VCNからの全通信許可

インスタンス:
OL9
プリエンプティブルインスタンス
OSのファイヤーウォール停止、SELINUX無効化
パッケージ
nmap-ncat
telnet
telnet-server
wireshark
ソース/宛先チェックのスキップ(vm03のみ)

-- 1. VCN、コンピュートインスタンス作成

cat <<-'EOF' > variables.tf

locals {
tenancy_ocid = "ocid1.tenancy.oc1..000000000000000000000000000000000000000000000000000000000000"
# MYIP
myip = "192.0.2.1/32"

}

variable "compartment_name" {
description = "compartment_name"
type = string
default = "cmp01"
}

variable "shape" {
description = "shape"
type = string
default = "VM.Standard.E2.1"
}

EOF

cat <<-'EOF' > main.tf

terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
oci = {
source = "hashicorp/oci"
version = "= 5.23.0"
}
}
}

provider "oci" {
tenancy_ocid = local.tenancy_ocid
user_ocid = "ocid1.user.oc1..000000000000000000000000000000000000000000000000000000000000"
private_key_path = "~/.oci/oci_api_key.pem"
fingerprint = "45:ed:22:e6:cc:fd:63:97:12:9d:62:7a:90:12:65:7a"
region = "us-ashburn-1"
}

resource "oci_identity_compartment" "cmp01" {
# Required
compartment_id = local.tenancy_ocid
description = var.compartment_name
name = var.compartment_name

enable_delete = true
}

resource "oci_core_vcn" "vcn01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id

#Optional
cidr_block = "10.0.0.0/16"
display_name = "vcn01"
dns_label = "vcn01"

}

resource "oci_core_internet_gateway" "igw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
enabled = true
display_name = "igw01"
}

resource "oci_core_route_table" "rt01" {
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

display_name = "rt01"
route_rules {
network_entity_id = oci_core_internet_gateway.igw01.id
destination = "0.0.0.0/0"
}
}

resource "oci_core_route_table" "rt02" {
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

display_name = "rt02"
route_rules {
network_entity_id = oci_core_nat_gateway.ngw01.id
destination = "0.0.0.0/0"
}
route_rules {
network_entity_id = oci_core_service_gateway.sgw01.id
destination = "all-iad-services-in-oracle-services-network"
destination_type = "SERVICE_CIDR_BLOCK"

}
}

resource "oci_core_security_list" "sl01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sl01"

egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}

ingress_security_rules {
source = local.myip
protocol = "6"
stateless = false
tcp_options {
max = 22
min = 22
}
}
ingress_security_rules {
source = "10.0.0.0/16"
protocol = "all"
stateless = false
}
}

resource "oci_core_security_list" "sl02" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sl02"

egress_security_rules {
destination = "0.0.0.0/0"
protocol = "all"
stateless = false
}

ingress_security_rules {
source = "10.0.0.0/16"
protocol = "all"
stateless = false
}
}

resource "oci_core_subnet" "subnet01" {
#Required
cidr_block = "10.0.1.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional

display_name = "subnet01"
dns_label = "subnet01"
route_table_id = oci_core_route_table.rt01.id
security_list_ids = [oci_core_security_list.sl01.id]
}

resource "oci_core_subnet" "subnet02" {
#Required
cidr_block = "10.0.2.0/24"
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional

display_name = "subnet02"
dns_label = "subnet02"
route_table_id = oci_core_route_table.rt02.id
security_list_ids = [oci_core_security_list.sl02.id]

prohibit_public_ip_on_vnic = true
}

resource "oci_core_nat_gateway" "ngw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
vcn_id = oci_core_vcn.vcn01.id

#Optional
block_traffic = false
display_name = "ngw01"
}

data "oci_core_services" "svc01" {
filter {
name = "name"
values = ["All .* Services In Oracle Services Network"]
regex = true
}
}

resource "oci_core_service_gateway" "sgw01" {
#Required
compartment_id = oci_identity_compartment.cmp01.id
services {
#Required
service_id = data.oci_core_services.svc01.services.0.id
}
vcn_id = oci_core_vcn.vcn01.id

#Optional
display_name = "sgw01"
}

EOF

cat <<-'EOF' > outputs.tf

output "cmp01_id" {
value = oci_identity_compartment.cmp01.id
description = "cmp01.id"
}

output "vcn01_id" {
value = oci_core_vcn.vcn01.id
description = "vcn01.id"
}

output "igw01_id" {
value = oci_core_internet_gateway.igw01.id
description = "igw01.id"
}
output "rt01_id" {
value = oci_core_route_table.rt01.id
description = "rt01.id"
}
output "rt02_id" {
value = oci_core_route_table.rt02.id
description = "rt02.id"
}

output "sl01_id" {
value = oci_core_security_list.sl01.id
description = "sl01.id"
}
output "sl02_id" {
value = oci_core_security_list.sl02.id
description = "sl02.id"
}
output "subnet01_id" {
value = oci_core_subnet.subnet01.id
description = "subnet01.id"
}
output "subnet02_id" {
value = oci_core_subnet.subnet02.id
description = "subnet02.id"
}

output "ngw01_id" {
value = oci_core_nat_gateway.ngw01.id
description = "ngw01.id"
}

output "svc01_id" {
value = data.oci_core_services.svc01.services.0.id
description = "svc01.id"
}

output "sgw01_id" {
value = oci_core_service_gateway.sgw01.id
description = "sgw01.id"
}

output "vm01_public_ip" {
value = oci_core_instance.vm01.public_ip
description = "vm01.public_ip"
}

EOF

cat <<-'EOF' > a.yaml
#cloud-config
timezone: Asia/Tokyo
locale: ja_JP.utf8
package_update: true
packages:
- nmap-ncat
- telnet
- telnet-server
- wireshark
runcmd:
- setenforce 0
- sed -i -e 's/^SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
- systemctl stop firewalld
- systemctl disable firewalld

EOF

cat <<-'EOF' > instances.tf

data "oci_core_images" "ol9_latest" {
#Required
compartment_id = oci_identity_compartment.cmp01.id

#Optional
operating_system = "Oracle Linux"
operating_system_version = "9"
shape = var.shape
sort_by = "TIMECREATED"
sort_order = "DESC"

filter {
name = "display_name"
values = ["Oracle-Linux-9.2-2023.*"]
regex = true
}

}

resource "oci_core_instance" "vm01" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = var.shape

agent_config {
plugins_config {
desired_state = "ENABLED"
name = "OS Management Service Agent"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Run Command"
}
plugins_config {
desired_state = "ENABLED"
name = "Compute Instance Monitoring"
}

}

create_vnic_details {
#Optional
assign_public_ip = true
subnet_id = oci_core_subnet.subnet01.id
skip_source_dest_check = false
}

display_name = "vm01"
fault_domain = "FAULT-DOMAIN-1"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
user_data = "${base64encode(file("./a.yaml"))}"
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false

preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}

resource "oci_core_instance" "vm02" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = var.shape

}

create_vnic_details {
#Optional
assign_public_ip = false
subnet_id = oci_core_subnet.subnet02.id
skip_source_dest_check = false
private_ip = "10.0.2.2"
}

display_name = "vm02"
fault_domain = "FAULT-DOMAIN-1"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
user_data = "${base64encode(file("./a.yaml"))}"
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false

preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}

resource "oci_core_instance" "vm03" {
#Required
availability_domain = "OEIw:US-ASHBURN-AD-1"
compartment_id = oci_identity_compartment.cmp01.id
shape = var.shape

}

create_vnic_details {
#Optional
assign_public_ip = false
subnet_id = oci_core_subnet.subnet02.id
skip_source_dest_check = true
private_ip = "10.0.2.3"
}

display_name = "vm03"
fault_domain = "FAULT-DOMAIN-1"

metadata = {
ssh_authorized_keys = file("~/.ssh/id_rsa.pub")
user_data = "${base64encode(file("./a.yaml"))}"
}

source_details {
#Required
source_id = data.oci_core_images.ol9_latest.images[0].id
source_type = "image"

#Optional
boot_volume_size_in_gbs = 50
}
preserve_boot_volume = false

preemptible_instance_config {
preemption_action {
type = "TERMINATE"
preserve_boot_volume = false
}
}
}
EOF

terraform init
terraform fmt
terraform -version

export TF_VAR_compartment_name=cmp01

terraform plan

terraform apply -auto-approve

terraform destroy -auto-approve

-- 2. 各インスタンス接続確認

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2

ping -c 5 -s 300 10.0.2.2

ssh -i $HOME/.ssh/id_rsa -o ProxyCommand="ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2 -W %h:%p" opc@10.0.2.2

ssh -i $HOME/.ssh/id_rsa -o ProxyCommand="ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2 -W %h:%p" opc@10.0.2.3

nc -v

# 次のコマンドでUDPサーバを建て、NLBのヘルスチェックのリクエストを待機します

while true; do (echo "response") | nc -lu 49152 -i 1; done > /dev/null 2>&1 &

-- 3. NLBの作成

-- 3.1 ネットワーク・ロード・バランサ作成

oci nlb network-load-balancer list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all

oci nlb network-load-balancer create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--display-name nlb01 \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--is-preserve-source-destination true \
--is-private true \
--nlb-ip-version IPV4

oci nlb network-load-balancer list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--all \
--query 'data.items.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci nlb network-load-balancer delete \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 3.2 バックエンドセット作成

oci nlb backend-set list \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000

privateipのOCID取得
oci network private-ip list \
--subnet-id ocid1.subnet.oc1.iad.000000000000000000000000000000000000000000000000000000000000

echo -n "request" | base64
echo -n "response" | base64

oci nlb backend-set create \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--name bs01 \
--health-checker '{
"interval-in-millis": 10000,
"port": 0,
"protocol": "UDP",
"request-data": "cmVxdWVzdA==",
"response-body-regex": "",
"response-data": "cmVzcG9uc2U=",
"retries": 3,
"timeout-in-millis": 3000
}' \
--backends '[
{
"ip-address": "10.0.2.3",
"target-id": "ocid1.privateip.oc1.iad.000000000000000000000000000000000000000000000000000000000000",
"name": "ocid1.privateip.oc1.iad.000000000000000000000000000000000000000000000000000000000000:49152",
"is-backup": false,
"is-drain": false,
"is-offline": false,
"port": 49152,
"weight": 1
}
]' \
--ip-version IPV4 \
--policy FIVE_TUPLE \
--is-preserve-source true

oci nlb backend-set delete \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--backend-set-name bs01 \
--force

-- 3.3 リスナー作成

oci nlb listener list \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000

oci nlb listener create \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--default-backend-set-name bs01 \
--name lis01 \
--port 4789 \
--protocol UDP \
--ip-version IPV4

oci nlb listener delete \
--network-load-balancer-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--listener-name lis01 \
--force

-- 4. VTAPの作成

-- 4.1 取得フィルタ作成
oci network capture-filter list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network capture-filter create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--filter-type VTAP \
--display-name cf01 \
--vtap-capture-filter-rules '[
{
"destination-cidr": "10.0.2.0/24",
"icmp-options": null,
"protocol": "1",
"rule-action": "INCLUDE",
"source-cidr": "10.0.1.0/24",
"tcp-options": null,
"traffic-direction": "INGRESS",
"udp-options": null
},
{
"destination-cidr": "10.0.2.0/24",
"icmp-options": null,
"protocol": "6",
"rule-action": "INCLUDE",
"source-cidr": "10.0.1.0/24",
"tcp-options": {
"source-port-range": null,
"destination-range": {
"max": 23,
"min": 23
}
},
"traffic-direction": "INGRESS",
"udp-options": null
}
]'

oci network capture-filter list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data.{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci network capture-filter delete \
--capture-filter-id ocid1.capturefilter.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 4.2 VTAPの作成

oci network vtap list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

vnicのOCID取得

oci compute instance list-vnics \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000

oci network vtap create \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--vcn-id ocid1.vcn.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--capture-filter-id ocid1.capturefilter.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--display-name vt01 \
--encapsulation-protocol VXLAN \
--is-vtap-enabled false \
--max-packet-size 9000 \
--source-type VNIC \
--source-id "ocid1.vnic.oc1.iad.000000000000000000000000000000000000000000000000000000000000" \
--target-type NETWORK_LOAD_BALANCER \
--target-id ocid1.networkloadbalancer.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--traffic-mode DEFAULT \
--vxlan-network-identifier 263105

oci network vtap list \
--compartment-id ocid1.compartment.oc1..000000000000000000000000000000000000000000000000000000000000 \
--query 'data[].{"display-name":"display-name","id":"id","lifecycle-state":"lifecycle-state"}' \
--output table

oci network vtap update \
--vtap-id ocid1.vtap.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--is-vtap-enabled true

oci network vtap delete \
--vtap-id ocid1.vtap.oc1.iad.000000000000000000000000000000000000000000000000000000000000 \
--force

-- 5. ICMPパケットのキャプチャとWiresharkを用いたTELNETパケットのキャプチャ

ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2

ping -c 5 -s 300 10.0.2.2

--
telnet 10.0.2.2

----

ssh -i $HOME/.ssh/id_rsa -o ProxyCommand="ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2 -W %h:%p" opc@10.0.2.2

sudo systemctl start telnet.socket
sudo systemctl status telnet.socket

echo 'W3lcome123##' | sudo passwd opc --stdin

----
ssh -i $HOME/.ssh/id_rsa -o ProxyCommand="ssh -i $HOME/.ssh/id_rsa opc@192.0.2.2 -W %h:%p" opc@10.0.2.3

sudo tcpdump src host 10.0.2.2 -vv -i ens3

sudo tshark -D

sudo tshark -Y 'ip.src==10.0.2.2 and udp.dstport==4789' -T fields -e ip.src -e ip.dst -e telnet.data -d udp.port==4789,vxlan -i 1