Skip to content


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation

MI-LXC : Mini-Internet using LXC            


MI-LXC uses LXC to simulate an internet-like environment. I use this environment for (infosec) practical work (intrusion, firewall, IDS, etc.). The small memory footprint of LXC combined with differential images allows to run it on modest hardware.

It is based on the infrastructure-as-code principle: these scripts programmatically generate the target environment.

Since version 2.0, MI-LXC uses SNSTER under the hood. Compared to previous monolithic versions, the framework (python code, templates, masters) has been splitted to SNSTER and configuration format has changed (YAML instead of JSON and different organization). This MI-LXC repository now only contains a topology configuration (topology/ subfolder) simulating a mini-internet on top of SNSTER. The vagrant subdirectory creates a ready-to-use VM with both SNSTER and MI-LXC. The releases link to such VMs.

Example practical work using this environment (in french) (note that commands and internals have changed between v1.4.x and v2.x) :

There is also a walkthrough tutorial and a video (the video is related to v1).


Features and composition

Features :

  • Containers run up-to-date Debian Bullseye or Alpine Linux
  • The infrastructure-as-code principle allows for easy management, deployment and evolution along time
  • The infrastructure is built by final users on their own PC
  • Every container also have access to the real internet (for software installation)
  • Containers provide shell access as well as X11 interface

The example network is composed of :

  • some transit/ISP routed through BGP to simulate a core network
  • an alternative DNS root, allowing to resolve real TLDs + a custom ".milxc" TLD (the .milxc registry is maintained inside MI-LXC)
  • some residential ISP clients (hacker and a random PC), using mail adresses @isp-a.milxc
  • a target organization, owning its own AS number, running classical services (HTTP, mail, DNS, filer, NIS, clients, etc.) for target.milxc domain
  • a certification authority (MICA) ready for ACME (Let's Encrypt-style)

A few things you can do and observe :

  • You can http from isp-a-hacker. Packets will go through the core BGP network, where you should be able to observe them or alter the routes
  • You can query the DNS entry from isp-a-hacker. isp-a-hacker will ask the resolver at isp-a-infra, which will recursively resolve from the DNS root ns-root-o, then from reg-milxc and finally from target-dmz
  • You can send an email from hacker@isp-a.milxc (or another forged address...), using claws-mail on isp-a-hacker, to sales@target.milxc, which can be read using claws-mail on target-sales (with X11 sessions in both containers)

The "IANA-type" numbering (AS numbers, IP space, TLDs) is described in doc/MI-IANA.txt. There is currently no cryptography deployed anywhere (no HTTPS, no IMAPS, no DNSSEC, etc.). This will probably be added at some point but in the meantime, deploying this is part of the expected work from students.

More precise details on what is installed and configured on hosts is in doc/

How to use


You can either:


The snster script generates and uses containers (as root, since it manipulates bridges and lxc commands, more on this here). It is used as snster <command>, with the following commands:

Command Description
create [name] Creates the [name] container, defaults to create all containers
renet Renets all the containers
destroy [name] Destroys the [name] container, defaults to destroy all containers
destroymaster Destroys all the master containers
updatemaster Updates all the master containers
start Starts the created infrastructure
stop Stops the created infrastructure
attach [user@]<name> [command] Attaches a term on <name> as [user](defaults to root) and executes [command](defaults to interactive shell)
display [user@]<name> Displays a graphical desktop on <name> as [user](defaults to debian)
print Graphically displays the defined architecture
(<arguments> are mandatory and [arguments] are optional)

There is also a walkthrough tutorial.

How to extend

The address space is explained in MI-IANA.txt and the global topology is defined in topology/. It describes:

  • the global configuration in topology/main.yml
  • groups of hosts, typically AS interconnected with BGP, in the subfolders of topology/

Each group of hosts is described through a group.yml file in its subfolder.

Finally, hosts are described and provisonned through:

  • host templates in SNSTER, which typically provide templates for BGP routers, mail servers, mail clients, ...
  • specific scripts for a given host in topology/<groupname>/<hostname>/

To extend it, you can either extend an existing AS (typically, Target) or create a new AS. In this second case, you can duplicate Target and then connect it to some transit operator under a new AS number.

This process is described in the walkthrough tutorial.


This software is licensed under AGPLv3 : you can freely reuse it as long as you write you use it and you redistribute your modifications. Special licenses with (even) more liberties for public teaching activities can be discussed.