# OpenRange docker-compose -- generated from SnapshotSpec # Snapshot: {{ snapshot_id | default('unknown') }} networks: external: driver: bridge ipam: config: - subnet: 10.0.0.0/24 dmz: driver: bridge ipam: config: - subnet: 10.0.1.0/24 internal: driver: bridge ipam: config: - subnet: 10.0.2.0/24 management: driver: bridge ipam: config: - subnet: 10.0.3.0/24 volumes: shared_logs: driver: local db_data: driver: local services: attacker: image: kalilinux/kali-rolling:latest cap_add: - NET_ADMIN command: - bash - -c - | apt-get update -qq && apt-get install -y -qq \ libblas3 nmap sqlmap hydra nikto smbclient curl wget netcat-openbsd \ ssh dnsutils tcpdump python3 python3-pip iproute2 sshpass \ default-mysql-client ldap-utils \ > /dev/null 2>&1 ip route add 10.0.1.0/24 via 10.0.0.2 2>/dev/null || true ip route add 10.0.2.0/24 via 10.0.0.2 2>/dev/null || true ip route add 10.0.3.0/24 via 10.0.0.2 2>/dev/null || true tail -f /dev/null extra_hosts: - "firewall:10.0.0.2" - "web:10.0.1.10" - "mail:10.0.1.11" - "db:10.0.2.20" - "files:10.0.2.21" - "ldap:10.0.3.20" - "siem:10.0.3.21" networks: external: ipv4_address: 10.0.0.10 healthcheck: test: - "CMD-SHELL" - "nmap --version >/dev/null 2>&1 && ip route | grep -q '10.0.1.0/24 via 10.0.0.2' && getent hosts web db files ldap siem >/dev/null 2>&1" interval: 10s timeout: 5s retries: 12 restart: unless-stopped firewall: image: ubuntu:22.04 cap_add: - NET_ADMIN command: - bash - -c - | apt-get update -qq && apt-get install -y -qq iptables iproute2 > /dev/null 2>&1 echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.1.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -d 10.0.2.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -d 10.0.3.0/24 -j MASQUERADE iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d 10.0.3.0/24 -j MASQUERADE iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -j ACCEPT iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24 -j ACCEPT iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.3.0/24 -j ACCEPT iptables -A FORWARD -s 10.0.2.0/24 -d 10.0.3.0/24 -j ACCEPT iptables -A FORWARD -j DROP tail -f /dev/null networks: external: ipv4_address: 10.0.0.2 dmz: ipv4_address: 10.0.1.2 internal: ipv4_address: 10.0.2.2 management: ipv4_address: 10.0.3.2 healthcheck: test: - "CMD-SHELL" - "grep -qx '1' /proc/sys/net/ipv4/ip_forward && iptables -C FORWARD -s 10.0.0.0/24 -d 10.0.1.0/24 -j ACCEPT >/dev/null 2>&1 && iptables -t nat -C POSTROUTING -s 10.0.0.0/24 -d 10.0.1.0/24 -j MASQUERADE >/dev/null 2>&1" interval: 10s timeout: 5s retries: 12 restart: unless-stopped web: build: context: . dockerfile: Dockerfile.web ports: - "80:80" volumes: - shared_logs:/var/log/app depends_on: - db networks: dmz: ipv4_address: 10.0.1.10 internal: ipv4_address: 10.0.2.10 management: ipv4_address: 10.0.3.10 healthcheck: test: - "CMD-SHELL" - "status=$(curl -s -o /dev/null -w '%{http_code}' http://localhost/ || true); case \"$$status\" in 2*|3*|4*) exit 0;; *) exit 1;; esac" interval: 10s timeout: 5s retries: 3 restart: unless-stopped mail: image: namshi/smtp:latest environment: - MAILNAME={{ domain | default('corp.local') }} volumes: - shared_logs:/var/log/mail networks: dmz: ipv4_address: 10.0.1.11 restart: unless-stopped db: build: context: . dockerfile: Dockerfile.db command: --default-authentication-plugin=mysql_native_password environment: - MYSQL_ROOT_PASSWORD={{ mysql_root_password | default('r00tP@ss!') }} - MYSQL_DATABASE={{ db_name | default('referral_db') }} - MYSQL_USER={{ db_user | default('svc_db') }} - MYSQL_PASSWORD={{ db_password | default('SvcDb!401') }} volumes: - db_data:/var/lib/mysql - shared_logs:/var/log/mysql networks: internal: ipv4_address: 10.0.2.20 healthcheck: test: ["CMD", "mysqladmin", "ping", "-h", "localhost"] interval: 10s timeout: 5s retries: 5 restart: unless-stopped files: image: dperson/samba:latest environment: - USER={{ smb_user | default('smbuser') }};{{ smb_password | default('smbP@ss!') }} {%- for share in smb_shares | default(['general', 'hr', 'compliance', 'contracts']) %} - SHARE{{ loop.index if loop.index > 1 else '' }}={{ share }};/srv/shares/{{ share }};yes;no;no;{{ smb_user | default('smbuser') }} {%- endfor %} volumes: - shared_logs:/var/log/samba networks: internal: ipv4_address: 10.0.2.21 restart: unless-stopped ldap: image: osixia/openldap:latest environment: - LDAP_ORGANISATION={{ org_name | default('Corp') }} - LDAP_DOMAIN={{ domain | default('corp.local') }} - LDAP_ADMIN_PASSWORD={{ ldap_admin_pass | default('LdapAdm1n!') }} volumes: - shared_logs:/var/log/ldap networks: management: ipv4_address: 10.0.3.20 restart: unless-stopped siem: image: ubuntu:22.04 command: - bash - -c - | apt-get update -qq && apt-get install -y -qq rsyslog jq curl grep gawk > /dev/null 2>&1 mkdir -p /var/log/siem/consolidated touch /var/log/siem/consolidated/all.log tail -f /dev/null volumes: - shared_logs:/var/log/siem networks: management: ipv4_address: 10.0.3.21 restart: unless-stopped