OpenWRT Container (ID: 100): ```bash pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --tag network --storage local-lvm --cores 2 --memory 128 --swap 0 --rootfs local-lvm:1,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Kali Linux Container (ID: 200): ```bash pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --tag tools --storage local-lvm --cores 2 --memory 2048 --swap 512 --rootfs local-lvm:1,size=16G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Alpine Container (ID: 300): ```bash pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --tag docker --storage local-lvm --cores 2 --memory 1024 --swap 256 --rootfs local-lvm:1,size=8G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` ```bash pct start 100 ``` ```bash pct stop 100 ``` ```bash pct destroy 100 ``` --- Here's the updated response with the additional information on installing packages via the CLI on OpenWrt: ### Proxmox Container Creation ```bash opkg install qemu-ga ``` ### OpenWRT Firewall Configuration The network interface and firewall configuration remains the same as before: #### **Define Network Interfaces**: Update `/etc/config/network` to reflect `eth1` as the WAN interface: ```bash config interface 'wan' option ifname 'eth1' option proto 'dhcp' ``` #### **Update Firewall Settings**: Append rules to `/etc/config/firewall` to allow SSH and HTTPS access: ```bash config zone option name 'wan' list network 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config rule option name 'Allow-SSH' option src 'wan' option proto 'tcp' option dest_port '22' option target 'ACCEPT' config rule option name 'Allow-HTTPS' option src 'wan' option proto 'tcp' option dest_port '443' option target 'ACCEPT' ``` ### Installing Packages via CLI To install packages via the CLI on OpenWrt, you can use the `opkg` package management tool. Here's how to go about it: 1. **Update the Package List**: Before installing any new packages, it's a good practice to update the list of packages to ensure you are installing the latest versions available. You can do this by running: ``` opkg update ``` 2. **Install a Package**: Once the package list is updated, you can install a package by using the `opkg install` command followed by the package name. For example, if you want to install the QEMU Guest Agent, you would use: ``` opkg install qemu-ga ``` 3. **Check Dependencies**: `opkg` automatically handles dependencies for the packages you install. If additional packages are required to fulfill dependencies, `opkg` will download and install them as well. 4. **Configure Packages**: Some packages may require configuration after installation. OpenWrt might save configuration files in `/etc/config/`, and you might need to edit these files manually or through a web interface (if you have LuCI installed). 5. **Managing Packages**: Besides installing, you can also remove packages with `opkg remove` and list installed packages with `opkg list-installed`. 6. **Find Available Packages**: To see if a specific package is available in the OpenWrt repository, you can search for it using: ``` opkg list | grep ``` These steps should help you manage packages on your OpenWrt device from the command line. For more detailed information or troubleshooting, you can refer to the OpenWrt documentation or community forums. ### Applying the Configuration After updating the configuration files: - **Restart Network Services**: ```bash /etc/init.d/network restart ``` - **Reload Firewall Settings**: ```bash /etc/init.d/firewall restart ``` This setup reduces the memory and storage footprint of the OpenWRT container while maintaining the necessary network and firewall configurations for SSH and HTTPS access. It also provides guidance on installing and managing packages using the `opkg` tool in OpenWrt. Remember to test connectivity, functionality, and package installations thoroughly after applying these changes to ensure the reduced resource allocation meets your requirements and the necessary packages are installed correctly. --- The container creation command you provided is close, but let's make a few adjustments to optimize it for a small footprint Alpine container. Here's the updated command: ```bash pct create 200 /var/lib/vz/template/cache/alpine-3.17-default_20230502_amd64.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --storage local-lvm --memory 128 --swap 0 --rootfs local-lvm:2,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Changes made: - Updated the template file name to `alpine-3.17-default_20230502_amd64.tar.xz` to use a specific Alpine version. Replace this with the actual template file name you have downloaded. - Changed `--ostype` to `alpine` instead of `unmanaged`. This allows Proxmox to apply Alpine-specific configurations. - Reduced the memory to 128MB (`--memory 128`) to minimize the footprint. Adjust this value based on your requirements. - Removed the extra `\\` characters, as they are not needed in this command. After creating the container, you can configure the network interfaces and firewall rules similar to the OpenWRT example: 1. Update `/etc/network/interfaces` to configure `eth1` as the WAN interface: ``` auto eth1 iface eth1 inet dhcp ``` 2. Configure the firewall rules in `/etc/iptables.rules` to allow SSH and HTTPS access: ``` *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable COMMIT ``` 3. Apply the network configuration and firewall rules: ```bash service networking restart iptables-restore < /etc/iptables.rules ``` 4. Install and configure any additional packages you need using Alpine's package manager, `apk`. For example, to install the QEMU Guest Agent: ```bash apk update apk add qemu-guest-agent ``` Remember to thoroughly test the container's functionality and security after applying these configurations to ensure it meets your requirements. --- To create a right-sized Kali Linux container for typical use, you can use the following command: ```bash pct create 300 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --storage local-lvm --memory 1024 --swap 512 --rootfs local-lvm:2,size=8G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Explanation of the command: - `pct create 300`: Creates a new container with ID 300. - `/var/lib/vz/template/cache/kali-default-rootfs.tar.xz`: Specifies the path to the Kali Linux template file. - `--unprivileged 1`: Runs the container as an unprivileged user. - `--arch amd64`: Sets the container architecture to 64-bit. - `--ostype debian`: Sets the OS type to Debian, as Kali Linux is based on Debian. - `--hostname kali-0`: Sets the container's hostname to "kali-0". - `--storage local-lvm`: Uses the local LVM storage for the container. - `--memory 1024`: Allocates 1GB of memory to the container. - `--swap 512`: Allocates 512MB of swap space to the container. - `--rootfs local-lvm:2,size=8G`: Creates an 8GB root filesystem for the container on the local LVM storage. - `--net0 name=eth0,bridge=vmbr0,firewall=1`: Configures the first network interface (eth0) to use the vmbr0 bridge and enables the firewall. - `--net1 name=eth1,bridge=vmbr1,firewall=1`: Configures the second network interface (eth1) to use the vmbr1 bridge and enables the firewall. After creating the container, you can configure the network interfaces and firewall rules as needed. For example, you can update `/etc/network/interfaces` to configure `eth1` as the WAN interface: ``` auto eth1 iface eth1 inet dhcp ``` You can also configure firewall rules using `iptables` or by modifying the `/etc/pve/firewall/300.fw` file to allow incoming traffic on specific ports or services. Remember to update and upgrade the Kali Linux packages inside the container and install any additional tools you require for your typical use case. Note: The resource allocation (memory, swap, and disk size) provided in this example is a general recommendation. You may need to adjust these values based on your specific requirements and the tasks you intend to perform with the Kali Linux container. --- Here are the adjusted container creation commands with scaled-down resources: OpenWRT Container (ID: 100): ```bash pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype unmanaged --hostname openwrt-0 --tag network --storage local-lvm --memory 128 --swap 0 --rootfs local-lvm:1,size=1G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Kali Linux Container (ID: 200): ```bash pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype debian --hostname kali-0 --tag tools --storage local-lvm --memory 2048 --swap 512 --rootfs local-lvm:1,size=16G --net0 name=eth0,bridge=vmbr0,firewall=1 --net1 name=eth1,bridge=vmbr1,firewall=1 ``` Alpine Container (ID: 300): ```bash pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz --unprivileged 1 --arch amd64 --ostype alpine --hostname alpine-0 --tag docker --storage local-lvm --memory 1024 --swap 256 --rootfs local-lvm:1,size=8G --net0 bridge=vmbr1,name=eth0,ip=dhcp,ip6=dhcp,type=veth,firewall=1 ``` ```bash pct stop 300 ``` ```bash pct destroy 300 ``` Changes: - Reduced memory to 512MB - Reduced swap to 256MB - Reduced rootfs size to 4GB Changes: - Reduced memory to 64MB - Reduced rootfs size to 512MB Please note that these resource adjustments are based on general recommendations for minimal resource usage. Depending on your specific use case and the applications you plan to run inside the containers, you might need to fine-tune these values further. Remember to monitor the performance and resource utilization of your containers after creating them with these scaled-down resources. If you encounter any issues or need more resources, you can always adjust the values accordingly using the `pct resize` command. --- # Proxmox Container Lab Guide ## Overview This guide covers creating and configuring three types of LXC containers in Proxmox VE: - **OpenWRT Container** (ID: 100) - Network router/firewall - **Kali Linux Container** (ID: 200) - Security testing tools - **Alpine Linux Container** (ID: 300) - Lightweight container host ## Container Creation Commands ### OpenWRT Container (ID: 100) ```bash pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \ --unprivileged 1 \ --arch amd64 \ --ostype unmanaged \ --hostname openwrt-0 \ --tag network \ --storage local-lvm \ --cores 2 \ --memory 128 \ --swap 0 \ --rootfs local-lvm:1,size=1G \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr1,firewall=1 ``` ### Kali Linux Container (ID: 200) ```bash pct create 200 /var/lib/vz/template/cache/kali-default-rootfs.tar.xz \ --unprivileged 1 \ --arch amd64 \ --ostype debian \ --hostname kali-0 \ --tag tools \ --storage local-lvm \ --cores 2 \ --memory 2048 \ --swap 512 \ --rootfs local-lvm:1,size=16G \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr1,firewall=1 ``` ### Alpine Linux Container (ID: 300) ```bash pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz \ --unprivileged 1 \ --arch amd64 \ --ostype alpine \ --hostname alpine-0 \ --tag docker \ --storage local-lvm \ --cores 2 \ --memory 1024 \ --swap 256 \ --rootfs local-lvm:1,size=8G \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr1,firewall=1 ``` ## Container Management Commands ### Basic Operations ```bash # Start container pct start # Stop container pct stop # Destroy container pct destroy # Enter container console pct enter # Check container status pct status ``` ### Resource Management ```bash # Resize container storage pct resize rootfs # Modify container configuration pct set --memory --cores ``` ## OpenWRT Configuration ### Package Management ```bash # Update package list opkg update # Install packages opkg install qemu-ga # List installed packages opkg list-installed # Search for packages opkg list | grep # Remove packages opkg remove ``` ### Network Configuration Edit `/etc/config/network` to configure WAN interface: ``` config interface 'wan' option ifname 'eth1' option proto 'dhcp' ``` ### Firewall Configuration Append to `/etc/config/firewall`: ``` config zone option name 'wan' list network 'wan' option input 'REJECT' option output 'ACCEPT' option forward 'REJECT' option masq '1' option mtu_fix '1' config rule option name 'Allow-SSH' option src 'wan' option proto 'tcp' option dest_port '22' option target 'ACCEPT' config rule option name 'Allow-HTTPS' option src 'wan' option proto 'tcp' option dest_port '443' option target 'ACCEPT' ``` ### Apply OpenWRT Configuration ```bash # Restart network services /etc/init.d/network restart # Reload firewall settings /etc/init.d/firewall restart ``` ## Alpine Linux Configuration ### Package Management ```bash # Update package index apk update # Install packages apk add qemu-guest-agent # Upgrade all packages apk upgrade # Search for packages apk search # Remove packages apk del ``` ### Network Configuration Edit `/etc/network/interfaces`: ``` auto eth1 iface eth1 inet dhcp ``` ### Firewall Configuration Create `/etc/iptables.rules`: ``` *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT -A INPUT -i eth1 -j REJECT --reject-with icmp-port-unreachable COMMIT ``` Apply firewall rules: ```bash iptables-restore < /etc/iptables.rules ``` ## Kali Linux Configuration ### Package Management ```bash # Update package lists apt update # Upgrade packages apt upgrade # Install packages apt install # Search for packages apt search # Remove packages apt remove ``` ### Network Configuration Edit `/etc/network/interfaces`: ``` auto eth1 iface eth1 inet dhcp ``` ## Resource Optimization ### Minimal Resource Configurations #### Ultra-Minimal OpenWRT ```bash pct create 100 /var/lib/vz/template/cache/openwrt-rootfs.tar.xz \ --unprivileged 1 \ --arch amd64 \ --ostype unmanaged \ --hostname openwrt-0 \ --tag network \ --storage local-lvm \ --memory 64 \ --swap 0 \ --rootfs local-lvm:1,size=512M \ --net0 name=eth0,bridge=vmbr0,firewall=1 \ --net1 name=eth1,bridge=vmbr1,firewall=1 ``` #### Minimal Alpine ```bash pct create 300 /var/lib/vz/template/cache/alpine-default-rootfs.tar.xz \ --unprivileged 1 \ --arch amd64 \ --ostype alpine \ --hostname alpine-0 \ --tag docker \ --storage local-lvm \ --memory 512 \ --swap 256 \ --rootfs local-lvm:1,size=4G \ --net0 bridge=vmbr1,name=eth0,ip=dhcp,ip6=dhcp,type=veth,firewall=1 ``` ## Troubleshooting Tips 1. **Container won't start**: Check resource allocation and ensure templates are properly downloaded 2. **Network issues**: Verify bridge configuration and firewall rules 3. **Performance issues**: Monitor resource usage with `pct exec -- top` or increase allocated resources 4. **Package installation fails**: Ensure network connectivity and update package lists first ## Best Practices - Always test connectivity after configuration changes - Monitor resource usage to optimize allocations - Keep container templates updated - Use unprivileged containers for security - Tag containers for better organization - Document custom configurations for reproducibility --- # Proxmox Container Lab Project Ideas ## Network Security & Penetration Testing Lab ### Project: Complete Security Testing Environment **Containers Used:** All three (OpenWRT + Kali + Alpine) **Setup:** - **OpenWRT (Router/Firewall):** Acts as network segmentation device and target - **Kali Linux:** Primary attack platform with full toolset - **Alpine:** Hosts vulnerable applications and services for testing **What You'll Learn:** - Network penetration testing methodologies - Firewall configuration and bypass techniques - Container security assessment - Network segmentation and VLAN configuration **Exercises:** 1. Configure OpenWRT with multiple VLANs for network isolation 2. Deploy vulnerable web apps on Alpine (DVWA, WebGoat) 3. Use Kali to perform reconnaissance and attacks 4. Practice lateral movement between network segments --- ## DevSecOps Pipeline Laboratory ### Project: Secure CI/CD with Container Security Scanning **Containers Used:** Kali + Alpine **Setup:** - **Alpine:** Hosts GitLab/Jenkins, Docker registry, and deployment targets - **Kali:** Security scanning and vulnerability assessment tools **What You'll Learn:** - Container security scanning integration - SAST/DAST implementation in pipelines - Infrastructure as Code security - Compliance automation **Tools to Deploy:** - GitLab CE or Jenkins on Alpine - Docker-in-Docker for container builds - Trivy, Clair, or Anchore for container scanning - OWASP ZAP integration from Kali --- ## Network Forensics & Incident Response Lab ### Project: Complete DFIR Environment **Containers Used:** All three **Setup:** - **OpenWRT:** Network monitoring and packet capture point - **Kali:** Forensics tools and malware analysis - **Alpine:** Log aggregation (ELK stack) and evidence storage **What You'll Learn:** - Network forensics techniques - Malware analysis in isolated environments - Log analysis and correlation - Incident response procedures **Components:** - Suricata IDS on OpenWRT - Volatility, Autopsy on Kali - Elasticsearch/Logstash/Kibana on Alpine - TheHive for case management --- ## Cloud Security Testing Platform ### Project: Multi-Cloud Security Assessment Lab **Containers Used:** Kali + Alpine **Setup:** - **Alpine:** Terraform/Ansible deployment platform, cloud CLIs - **Kali:** Cloud security testing tools and scripts **What You'll Learn:** - Cloud misconfigurations identification - Container orchestration security - Infrastructure scanning and assessment - Multi-cloud security management **Tools:** - ScoutSuite, Prowler for AWS/Azure/GCP scanning - Kubernetes security tools (kube-bench, kube-hunter) - Cloud security posture management --- ## Honeypot & Deception Technology Lab ### Project: Advanced Threat Detection Network **Containers Used:** All three **Setup:** - **OpenWRT:** Network traffic analysis and redirection - **Alpine:** Multiple honeypot services and logging - **Kali:** Attack simulation and validation **What You'll Learn:** - Honeypot deployment and management - Threat intelligence collection - Behavioral analysis of attackers - Deception technology implementation **Honeypots to Deploy:** - Cowrie (SSH honeypot) - Dionaea (multi-protocol honeypot) - Conpot (ICS/SCADA honeypot) - T-Pot (all-in-one platform) --- ## Software Defined Network (SDN) Security Lab ### Project: OpenFlow Network Security Testing **Containers Used:** All three **Setup:** - **OpenWRT:** Modified with OpenFlow support - **Alpine:** SDN controller (OpenDaylight/ONOS) - **Kali:** SDN-specific security testing tools **What You'll Learn:** - SDN architecture and protocols - OpenFlow security implications - Controller security assessment - Network programmability concepts --- ## Container Escape & Runtime Security Lab ### Project: Container Security Hardening Workshop **Containers Used:** Kali + Alpine **Setup:** - **Alpine:** Multiple Docker containers with various security configs - **Kali:** Container security assessment tools **What You'll Learn:** - Container escape techniques - Runtime security monitoring - Container hardening best practices - Kubernetes security posture **Scenarios:** - Privileged container escapes - Kernel exploit demonstrations - Seccomp/AppArmor bypass techniques - Runtime security tool evaluation --- ## Network Automation & Orchestration Lab ### Project: Infrastructure as Code Security Testing **Containers Used:** All three **Setup:** - **OpenWRT:** Network device automation target - **Alpine:** Ansible/Terraform control node - **Kali:** Infrastructure security validation **What You'll Learn:** - Network automation security implications - Infrastructure code vulnerability scanning - Automated security testing integration - Configuration drift detection --- ## Industrial Control Systems (ICS) Security Lab ### Project: SCADA/PLC Security Assessment Environment **Containers Used:** All three **Setup:** - **OpenWRT:** Network segmentation for OT/IT networks - **Alpine:** SCADA HMI simulation and protocol gateways - **Kali:** ICS-specific security tools **What You'll Learn:** - Industrial protocol security (Modbus, DNP3, etc.) - Air-gap bypass techniques - SCADA system vulnerabilities - Critical infrastructure protection **Tools:** - OpenPLC for PLC simulation - ScadaBR for HMI interface - Metasploit industrial modules - Nmap industrial scripts --- ## Wireless Security Research Lab ### Project: Wi-Fi Security Assessment Platform **Containers Used:** Kali + Alpine (OpenWRT optional) **Setup:** - **Kali:** Wireless security tools and SDR capabilities - **Alpine:** Wireless monitoring and logging infrastructure - **OpenWRT:** Target wireless access point **What You'll Learn:** - Wi-Fi protocol vulnerabilities - Wireless penetration testing - SDR-based security research - Rogue access point detection --- ## Malware Analysis & Reverse Engineering Lab ### Project: Dynamic and Static Malware Analysis Platform **Containers Used:** Kali + Alpine **Setup:** - **Kali:** REMnux tools, disassemblers, debuggers - **Alpine:** Cuckoo Sandbox, YARA rules, malware feeds **What You'll Learn:** - Static malware analysis techniques - Dynamic behavior analysis - Automated malware processing - Threat intelligence generation --- ## Implementation Priority Recommendations ### Beginner Level (Start Here) 1. **Network Security Lab** - Fundamental skills building 2. **Container Security Lab** - Modern security concepts ### Intermediate Level 1. **DevSecOps Pipeline** - Industry-relevant skills 2. **Honeypot Network** - Threat detection experience ### Advanced Level 1. **SDN Security Lab** - Cutting-edge networking 2. **ICS Security Lab** - Specialized security domain ## Resource Requirements by Project | Project | Memory | Storage | Complexity | |---------|---------|---------|------------| | Network Security Lab | 4GB | 30GB | Medium | | DevSecOps Pipeline | 6GB | 40GB | Medium | | DFIR Lab | 8GB | 50GB | High | | Cloud Security | 4GB | 25GB | Medium | | Honeypot Network | 3GB | 20GB | Low | | SDN Lab | 6GB | 35GB | High | | Container Security | 4GB | 25GB | Medium | | Network Automation | 5GB | 30GB | Medium | | ICS Security | 6GB | 40GB | High | | Wireless Security | 4GB | 30GB | Medium | | Malware Analysis | 8GB | 60GB | High | ## Getting Started Checklist - [ ] Choose project based on learning objectives - [ ] Verify resource requirements against available hardware - [ ] Download necessary container templates - [ ] Plan network topology and IP addressing - [ ] Document configuration for reproducibility - [ ] Set up monitoring and logging - [ ] Create backup/snapshot strategy