Cyrange : firewall configuration

Jan 28, 2022 by Thibault Debatty | 1658 views

Cyrange Cyber Range

https://cylab.be/blog/199/cyrange-firewall-configuration

The cyrange Cyber Range is composed of multiple docker containers. After installation, here is how to configure your firewall to allow communication between the different components…

cyrange-architecture.png

First, let’s allow SSH, HTTP and HTTPS, and increase firewall logging verbosity:

sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw logging medium

Now that SSH is allowed, we can enable the firewall:

sudo ufw enable

First we must find the subnet used by our containers:

docker network inspect cyrange_default | grep Subnet

On my server, the subnet used by the cyrange containers is 172.21.0.0/16. You should adapt the examples below according to your subnet…

As we can see on the Figure above, we must allow communication from cyrange to vboxweb-srv:

sudo ufw allow from 172.21.0.0/16 to any port 18083 proto tcp

We must also allow communication from guacamole to RDP ports:

sudo ufw allow from 172.21.0.0/16 to any port 15000:15999 proto tcp

During the deployment of a VM, cyrange will connect to the VM using ssh (on a port in the range 22000-22999), to configure the guest OS. To allow connections from cyrange to the SSH port used for provisioning:

sudo ufw allow from 172.21.0.0/16 to any port 22000:22999 proto tcp

Now, your firewall configuration should look like this:

sudo ufw status verbose


Status: active
Logging: on (medium)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere                  
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
18083/tcp                  ALLOW IN    172.21.0.0/16             
22000:22999/tcp            ALLOW IN    172.21.0.0/16             
15000:15999/tcp            ALLOW IN    172.21.0.0/16             
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)

Finally, if you have NOT configured Apache reverse proxy, you will need to open ports 8080 and 8081 to access the web interface:

sudo ufw allow 8080
sudo ufw allow 8081

This blog post is licensed under CC BY-SA 4.0

File upload, validation and storage with Laravel
Laravel is a powerful framework, that offers all functionalities required to implement file upload, validation and storage. Here is a complete and concrete example.
Jun 17, 2022 | 13369 views
A light NAT router and DHCP server with Alpine Linux
Alpine Linux is a very light Linux distribution, that can run with less than 100MB of harddisk space. Here is how to configure Alpine Linux to run as a NAT router and DHCP server.
Jun 8, 2022 | 12529 views
Cyrange : scenarios
Today we released version 1.1.0 of the cyrange Cyber Range platform. This version brings an important new feature : scenarios. A scenario allows to define a large scale exercise, involving multiple virtual machines, that can be interconnected using a complex network. Moreover, to run the exercise, the cyrange platform will deploy a copy of each defined VM for each trainee. Let’s see how…
May 6, 2022 | 1814 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept