diff options
| -rw-r--r-- | core/conf/rc.d/iptables | 111 | ||||
| -rw-r--r-- | tools/conf/etc/iptables/vlan.v4 | 170 | ||||
| -rwxr-xr-x | tools/conf/etc/rc.d/blan | 93 | ||||
| -rw-r--r-- | tools/network.html | 19 | ||||
| -rw-r--r-- | tools/qemu.html | 127 |
5 files changed, 356 insertions, 164 deletions
diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 3f29928..bb5cf91 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -3,80 +3,79 @@ # /etc/rc.d/iptables: load/unload iptable rules # -case $1 in -start) - echo "Starting IPv4 firewall filter table..." - /usr/sbin/iptables-restore < /etc/iptables/rules.v4 - ;; -stop) - echo "Stopping firewall and deny everyone..." - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X +rules=rules.v4 +#rules=vlan.v4 + +iptables_clear () { + echo "clear all iptables tables" + iptables -F + iptables -X + iptables -t nat -F + iptables -t nat -X + iptables -t mangle -F + iptables -t mangle -X + iptables -t raw -F + iptables -t raw -X + iptables -t security -F + iptables -t security -X +} +case $1 in + start) + iptables_clear + echo "starting IPv4 firewall filter table..." + /usr/sbin/iptables-restore < /etc/iptables/${rules} + ;; + stop) + iptables_clear + echo "stopping firewall and deny everyone..." /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT DROP - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - ;; -open) - echo "Outgoing Open firewall and deny everyone..." - iptables -F - iptables -X - iptables -t nat -F - iptables -t nat -X - iptables -t mangle -F - iptables -t mangle -X - iptables -t raw -F - iptables -t raw -X - iptables -t security -F - iptables -t security -X + ;; + open) + iptables_clear + echo "outgoing Open firewall and deny everyone..." /usr/sbin/iptables -P INPUT DROP /usr/sbin/iptables -P FORWARD DROP /usr/sbin/iptables -P OUTPUT ACCEPT - # Unlimited on local - /usr/sbin/iptables -A INPUT -i lo -j ACCEPT - /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT - - # Accept passive - /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A OUTPUT -j ACCEPT - /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + # Unlimited on local + /usr/sbin/iptables -A INPUT -i lo -j ACCEPT + /usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT + # Accept passive + /usr/sbin/iptables -A INPUT -p tcp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT + /usr/sbin/iptables -A INPUT -p udp --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT - # log everything else and drop - /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " - #/usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " - /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " + # log everything else and drop + /usr/sbin/iptables -A INPUT -j LOG --log-level 7 --log-prefix "iptables: INPUT: " + /usr/sbin/iptables -A OUTPUT -j LOG --log-level 7 --log-prefix "iptables: OUTPUT: " + /usr/sbin/iptables -A FORWARD -j LOG --log-level 7 --log-prefix "iptables: FORWARD: " - ;; + ;; -restart) - $0 stop - $0 start - ;; -*) + restart) + $0 stop + $0 start + ;; + *) - echo "usage: $0 [start|stop|restart]" - ;; + echo "usage: $0 [start|stop|restart]" + ;; esac # End of file diff --git a/tools/conf/etc/iptables/vlan.v4 b/tools/conf/etc/iptables/vlan.v4 new file mode 100644 index 0000000..8c87389 --- /dev/null +++ b/tools/conf/etc/iptables/vlan.v4 @@ -0,0 +1,170 @@ +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*security +:INPUT ACCEPT [6:2056] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*raw +:PREROUTING ACCEPT [7:2092] +:OUTPUT ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*mangle +:PREROUTING ACCEPT [7:2092] +:INPUT ACCEPT [6:2056] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [6:2056] +:POSTROUTING ACCEPT [6:2056] +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*filter +:INPUT DROP [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -i br0 -j ACCEPT +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A INPUT -f -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +################################################################################# +# INPUT +# Established connections and passive +# + +# Allow established from dns server +#-A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# INPUT accept passive +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT + + +# Allow irc +-A INPUT -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow xmmp +-A INPUT -p tcp -m tcp --sport 5222 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +# Allow established from https server +-A INPUT -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow established from http server +-A INPUT -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from rsync server +-A INPUT -p tcp -m tcp --sport 873 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from pop3s server +-A INPUT -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from smtps server +-A INPUT -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from ntp server +-A INPUT -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from whois server +-A INPUT -p tcp -m tcp --sport 43 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +# Allow established from ftp server +-A INPUT -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +################################################################################## +# INPUT +# New and established connections to local servers +# + +# allow ping +-A INPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A INPUT -p icmp --icmp-type 0 -m state --state ESTABLISHED,RELATED -j ACCEPT + +# INPUT accept from wlp7s0 to dns server +#-A INPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT + +# INPUT accept from wlp7s0 to https server +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# INPUT accept from wlp7s0 to ssh server +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW -m limit --limit 6/min --limit-burst 3 -j ACCEPT + +-A FORWARD -i br0 -j ACCEPT + +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 + +################################################################################## +# Output +# Connections to remote servers +# +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -o br0 -j ACCEPT + +# Allow ping +-A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to ssh clients +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +#-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow from dns server +#-A OUTPUT -p udp -m udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow irc +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow xmmp +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT + + +# Allow to rsync server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +################################################################################## +# Output +# Connections from local servers +# + + +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state NEW -j ACCEPT + + +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 +# Generated by iptables-save v1.6.0 on Sat Oct 15 17:20:41 2016 +*nat +:PREROUTING ACCEPT [1:36] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] + +-A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT +-A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE +#-A POSTROUTING -o wlp7s0 -j MASQUERADE + +COMMIT +# Completed on Sat Oct 15 17:20:41 2016 diff --git a/tools/conf/etc/rc.d/blan b/tools/conf/etc/rc.d/blan index f75d272..f3ea322 100755 --- a/tools/conf/etc/rc.d/blan +++ b/tools/conf/etc/rc.d/blan @@ -4,60 +4,55 @@ # DEV="br0" -PHY="enp8s0" -ADDR=10.0.0.1 +ADDR=10.0.0.254 NET=10.0.0.0 +GW=192.168.1.254 MASK=24 -GTW=10.0.0.1 -NTAPS=$((`/usr/bin/nproc`-1)) + +# one tap for each cpu core +NTAPS=$((`/usr/bin/nproc`)) case $1 in - start) - /sbin/ip link add name ${DEV} type bridge - /sbin/ip link set dev ${DEV} up - - /bin/sleep 0.2s - /sbin/ip route flush dev ${PHY} - /sbin/ip addr flush dev ${PHY} - /sbin/ip link set dev ${PHY} master ${DEV} - - /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + - - for i in `/usr/bin/seq $NTAPS` - do - TAP="tap$i" - echo $TAP - /sbin/ip tuntap add ${TAP} mode tap group kvm - /sbin/ip link set ${TAP} up - /bin/sleep 0.2s - #brctl addif $switch $1 - /sbin/ip link set ${TAP} master ${DEV} - done - - exit 0 - ;; - stop) - - for i in `/usr/bin/seq $NTAPS` - do - TAP="tap$i" - /sbin/ip link del ${TAP} - echo $TAP - done - - /sbin/ip link set dev ${DEV} down - /sbin/ip route flush dev ${DEV} - /sbin/ip link del ${DEV} - exit 0 - ;; - restart) - $0 stop - $0 start - ;; - *) - echo "Usage: $0 [start|stop|restart]" - ;; + start) + /sbin/ip link add name ${DEV} type bridge + /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + /sbin/ip link set dev ${DEV} up + /bin/sleep 0.2s + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + echo "Setting up ${TAP} tap interface." + /sbin/ip tuntap add ${TAP} mode tap group kvm + /sbin/ip link set ${TAP} up + /bin/sleep 0.2s + /sbin/ip link set ${TAP} master ${DEV} + done + + exit 0 + ;; + stop) + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + echo "Deleting ${TAP} tap interface." + /sbin/ip link del ${TAP} + done + + /sbin/ip link set dev ${DEV} down + /sbin/ip route flush dev ${DEV} + /sbin/ip link del ${DEV} + exit 0 + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; esac # End of file diff --git a/tools/network.html b/tools/network.html index 43e4616..bb4c0be 100644 --- a/tools/network.html +++ b/tools/network.html @@ -20,24 +20,7 @@ how to create interfaces at startup or as source to do it in automatic way;</p> - <pre> - DEV="br0" - PHY="enp8s0" - </pre> - - <pre> - # ip link add name ${DEV} type bridge - # ip link set dev ${DEV} up - </pre> - <pre> - # ip route flush dev ${PHY} - # ip addr flush dev ${PHY} - # ip link set dev ${PHY} master ${DEV} - </pre> - - <pre> - # ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + - </pre> + <p>For more information about bridges <a href="http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section7">Bridges with iptables</a></p> <a href="index.html">Tools Index</a> <p>This is part of the c9 Manual. diff --git a/tools/qemu.html b/tools/qemu.html index 0079dfc..86fb7aa 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -12,7 +12,9 @@ <h2 id="kern">1. Host System</h2> - <p>Load modules, in this case kvm of intel cpu;</p> + <p>Prepare host system for virtual machines, this includes create new user, + loading necessary modules and configure network. Load kvm module, in this example + intel module is loaded but depends on host cpu;</p> <pre> # modprobe -a kvm-intel tun virtio @@ -27,6 +29,7 @@ <h2 id="disk">2. Disk images</h2> + <p>Qemu supports multiple disk images types.</p> <dl> <dt>img</dt> <dd>Raw disk image, allows dd to a physical device.</dd> @@ -115,67 +118,109 @@ KERNEL=="tun", GROUP="kvm", MODE="0660", OPTIONS+="static_node=net/tun" </pre> + <h3>2.1. Routing</h3> - <h3>2.1. Public Bridge</h3> - - <p>Create <a href="network.html#bridge">bridge</a>, create new - tap and add it to bridge;</p> - - <pre> - # DEV="br0" - # TAP="tap1" - </pre> - - <pre> - # ip tuntap add ${TAP} mode tap group kvm - # ip link set ${TAP} up - </pre> + <p>Create interface with correct permissions set for kvm group.</p> <pre> - # ip link set ${TAP} master ${DEV} + # sysctl -w net.ipv4.ip_forward=1 + # iptables -A INPUT -i br0 -j ACCEPT + # iptables -A FORWARD -i br0 -j ACCEPT + # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT + # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE </pre> - <h3>2.2. Routing</h3> + <h3>2.2. Public Bridge</h3> - <p>Create interface with correct permissions set for kvm group.</p> + <p>Create <a href="network.html#bridge">bridge</a>, create new + tap and add it to bridge;</p> <pre> - # sysctl -w net.ipv4.ip_forward=1 - # iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE + DEV="br0" + + ADDR=10.0.0.254 + NET=10.0.0.0 + GW=192.168.1.254 + MASK=24 + + # one tap for each cpu core + NTAPS=$((`/usr/bin/nproc`)) + + case $1 in + start) + /sbin/ip link add name ${DEV} type bridge + /sbin/ip addr add ${ADDR}/${MASK} dev ${DEV} broadcast + + /sbin/ip link set dev ${DEV} up + /bin/sleep 0.2s + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + echo "Setting up ${TAP} tap interface." + /sbin/ip tuntap add ${TAP} mode tap group kvm + /sbin/ip link set ${TAP} up + /bin/sleep 0.2s + /sbin/ip link set ${TAP} master ${DEV} + done + + exit 0 + ;; + stop) + + for i in `/usr/bin/seq $NTAPS` + do + TAP="tap$i" + echo "Deleting ${TAP} tap interface." + /sbin/ip link del ${TAP} + done + + /sbin/ip link set dev ${DEV} down + /sbin/ip route flush dev ${DEV} + /sbin/ip link del ${DEV} + exit 0 + ;; + restart) + $0 stop + $0 start + ;; + *) + echo "Usage: $0 [start|stop|restart]" + ;; + esac + + # End of file </pre> <h2 id="guest">Guest System</h2> - <p>Start qemu with 512 of ram, mydisk.img as disk and boot from iso</p> - <p>See <a href="scripts/system-qemu.sh">scripts/system-qemu.sh</a>, as template. Run virtual machine that uses above tap device;</p> <pre> - $ ISO=~/crux-3.2.iso - $ IMG=~/crux-img.qcow2 - $ TAP="tap1" + #!/bin/bash - $ qemu-system-x86_64 \ - -enable-kvm \ - -m 1024 \ - -boot d \ - -cdrom ${ISO} \ - -hda ${IMG} \ - -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no - </pre> + function rmac_addr (){ + printf '54:60:BE:EF:%02X:%02X\n' $((RANDOM%256)) $((RANDOM%256)) + } - <pre> - $ ISO=~/crux-3.2.iso - $ IMG=~/crux-img.qcow2 + #boot=d + boot=$1 + #iso=crux-3.2.iso + iso=$2 + #image=crux-img.qcow2 + image=$3 + #tap="tap1" + tap=$4 + mac=$(rmac_addr) - $ qemu-system-x86_64 \ + qemu-system-x86_64 \ -enable-kvm \ -m 1024 \ - -boot d \ - -cdrom ${ISO} \ - -hda ${IMG} \ - -net nic,model=virtio -net tap,ifname=${TAP},script=no,downscript=no + -boot ${boot} \ + -cdrom ${iso} \ + -hda ${image} \ + -device e1000,netdev=t0,mac=${mac} \ + -netdev tap,id=t0,ifname=${tap},script=no,downscript=no </pre> <a href="index.html">Tools Index</a> |