Air-Ungap#
Create networks#
Create an air-gapped network and one with internet access
docker network create --internal --subnet 10.10.10.0/24 internal
docker network create internet
Create the containers and connect them#
Create a fedora container and connect it to the internal network only
docker run -d --network internal --name fedora fedora tail -f /dev/null
Create the proxy container and connect it to the internal network
docker run --name squid-proxy --network=internal -d --rm -p3128:3128 ubuntu/squid
But also give it access to the internet
docker network connect internet squid-proxy
You can double check your config this way
docker inspect squid-proxy -f '{{json .NetworkSettings.Networks }}'|jq .
docker inspect fedora -f '{{json .NetworkSettings.Networks }}'|jq .
Try to connect to internal and external resources#
From the fedora container, we should be able to access only internal resources
docker exec -it fedora /bin/bash
We expect requests to external resources to fail
curl http://example.com
^C
But we should be able to reach out to resources on the internal network, so the proxy in this case.
curl -sI http://10.10.10.3:3128|grep Serv
Server: squid/5.7
Reach out to the internet through the proxy#
Even though we cannot reach out directy as demonstrated before
curl https://example.com
^C
We can reach out through the proxy
curl -sI -x http://10.10.10.3:3128 http://example.com|grep Serv
Server: ECS (nyb/1D04)
Tail the proxy access log#
From the proxy container, tail the access logs, so you can observe traffic going through the proxy
docker exec -it squid-proxy /bin/bash
tail -f /var/log/squid/access.log
Use the proxy to reach the dnf repos#
dnf repolist
Since this system is air-gapped it can reach to the dnf repos to upgrade itself
dnf update
(the above command will fail)
But we can funnel the traffic for the dnf repos through the proxy now. All we’ve got to do is set a proxy for each entries in the repolists.
cd /etc/yum.repos.d/
ls -la
total 36
drwxr-xr-x 2 root root 4096 Sep 14 06:49 .
drwxr-xr-x 1 root root 4096 Sep 17 10:34 ..
-rw-r--r-- 1 root root 728 Apr 6 00:00 fedora-cisco-openh264.repo
-rw-r--r-- 1 root root 1302 Apr 6 00:00 fedora-modular.repo
-rw-r--r-- 1 root root 1349 Apr 6 00:00 fedora-updates-modular.repo
-rw-r--r-- 1 root root 1391 Apr 6 00:00 fedora-updates-testing-modular.repo
-rw-r--r-- 1 root root 1344 Apr 6 00:00 fedora-updates-testing.repo
-rw-r--r-- 1 root root 1286 Apr 6 00:00 fedora-updates.repo
-rw-r--r-- 1 root root 1239 Apr 6 00:00 fedora.repo
Add an empty new line at the end of all repo files
for i in $(ls -1);do printf '\n' >> $i;done
Replace all empty new lines with the proxy address, + a newline
sed -i 's/^$/proxy\=http\:\/\/10.10.10.3:3128\n/g' ./*
So we are now effectively pointing all repos through our proxy, which means we can now upgrade our system, even though it is (was) air-gapped.
dnf update
Fedora 38 - aarch64 17 MB/s | 79 MB 00:04
Fedora 38 openh264 (From Cisco) - aarch64 1.8 kB/s | 2.5 kB 00:01
Fedora Modular 38 - aarch64 2.0 MB/s | 2.7 MB 00:01
Fedora 38 - aarch64 - Updates 17 MB/s | 31 MB 00:01
Fedora Modular 38 - aarch64 - Updates 1.3 MB/s | 2.1 MB 00:01
Dependencies resolved.
======================================================================================================
Package Architecture Version Repository Size
======================================================================================================
Upgrading:
curl aarch64 8.0.1-4.fc38 updates 345 k
libcurl aarch64 8.0.1-4.fc38 updates 305 k
Transaction Summary
======================================================================================================
Upgrade 2 Packages
Total download size: 650 k
Is this ok [y/N]:
And we still can’t reach out to the internet without a proxy.
curl http://example.com
^C