Contents
Create a Private Cloud Network
Create an isolated cloud network. Here I am using the supernova client to communicate with the Rackspace OpenStack API.
supernova uk network-create "Infrastructure" "192.168.3.0/24" +----------+--------------------------------------+ | Property | Value | +----------+--------------------------------------+ | cidr | 192.168.3.0/24 | | id | 4d15b8ad-45c5-4169-a4fa-d36f1a776efd | | label | Infrastructure | +----------+--------------------------------------+
Take note of the id – you’ll need it shortly!
Create a Proxy Server and Attach to the Private Network
supernova uk boot proxy-bast --flavor 2 --image 189678ca-fe2c-4b7a-a986-30c3660edfa5 --nic net-id=4d15b8ad-45c5-4169-a4fa-d36f1a776efd
The above creates a server using the CentOS 6.6 image. Other images of interest are:
+--------------------------------------+------------------------------------------+--------+ | ID | Name | Status | +--------------------------------------+------------------------------------------+--------+ | 189678ca-fe2c-4b7a-a986-30c3660edfa5 | CentOS 6 (PVHVM) | ACTIVE | | f8ae535e-67c0-41a5-bf55-b06d0ee40cc2 | CentOS 7 (PVHVM) | ACTIVE | | 6909f56c-bd77-411a-8c0e-c37876b68d1d | Ubuntu 14.04 LTS (Trusty Tahr) (PVHVM) | ACTIVE | +--------------------------------------+------------------------------------------+--------+
Proxy Bastion Configuration
Later we create a cloud server with no public IP, which is protected by sitting behind our proxy bastion. From the bastion side, in order for our protected server to have access to the internet, we need to apply firewall rules for IP forwarding and Network Address Translation. This process differs depending on which distribution you use. Here I cover CentOS 6.6, CentOS 7 and Ubutnu 14.04.
CentOS 6.6
Under CentOS 6.6 and before, you need to configure IPTables to do the forwarding and the Network Address Translation (NAT). We will be forwarding the traffic from the eth2 interface, out through the eth0 interface. We also use Static NAT or MASQUERADE so that traffic coming from our protected infrastructure, takes on the public IP address of our proxy bastion.
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether bc:76:4e:08:40:d8 brd ff:ff:ff:ff:ff:ff
inet 95.138.163.75/24 brd 95.138.163.255 scope global eth0
inet6 2a00:1a48:7805:113:be76:4eff:fe08:40d8/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::be76:4eff:fe08:40d8/64 scope link
valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether bc:76:4e:08:3d:31 brd ff:ff:ff:ff:ff:ff
inet 192.168.3.1/24 brd 192.168.3.255 scope global eth2
inet6 fe80::be76:4eff:fe08:3d31/64 scope link
valid_lft forever preferred_lft forever
Enable IP Forwarding
To enable forwarding, you need to enable it in two places. One in /proc/sys/net/ipv4/ip_forward.
echo 1 > /proc/sys/net/ipv4/ip_forward
And the other in /etc/sysctl.conf. The below uses grep check the value of net.ipv4.ip_forward.
grep net.ipv4.ip_forward /etc/sysctl.conf net.ipv4.ip_forward = 0
If zero, enable with a one as shown below.
net.ipv4.ip_forward =
1
Configure Static NAT and Forwarding Rules
iptables --table nat --append POSTROUTING --out-interface eth0 -j SNAT --to 95.138.163.75 iptables --append FORWARD --in-interface eth2 -j ACCEPT service iptables save
We also need to remove the default reject rule on the FORWARD’ing table:
iptables -D FORWARD 1
Here I delete rule number one from the FORWARD table. Make sure you delete the correct line. To see the line numbers, use:
[root@proxy-bast ~]# iptables -vnL --line-number Chain INPUT (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 44444 62M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 2 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 3 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 4 1 60 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp dpt:22 5 1 40 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) num pkts bytes target prot opt in out source destination 1 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT 8769 packets, 544K bytes) num pkts bytes target prot opt in out source destination
Make sure you have restarted everything.
service iptables restart service network restart
Now configure the default gateway on the infrastructure server.
CentOS 7
With the introduction of firewalld, CentOS 7 now does things a little differently.
Method 1
This method uses the predefined zones available to us and is by far the easiest method to apply. The external zone has IP masquerading enabled by default so there should be little to do.
Define Your Zones
To view your zone setup.
[root@proxy-bast ~]# firewall-cmd --get-default-zone public [root@proxy-bast ~]# firewall-cmd --get-active-zones public interfaces: eth0 eth1 eth2
To see the supported predefined zones , use the --get-zones</code option.
[root@proxy-bast ~]# firewall-cmd --get-zones block dmz drop external home internal public trusted work
You can find out more about each zone with the below command.
[root@proxy-bast ~]# firewall-cmd --zone=public --list-all public (default, active) interfaces: eth0 eth1 eth2 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Or you can list all zones with the --list-all-zones option.
firewall-cmd --list-all-zones
The zones I will be using are external, work and internal.
external interfaces: sources: services: ssh ports: masquerade:
yes
forward-ports: icmp-blocks: rich rules: work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: internal interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
My setup looks like this…
Port Firewall Zone Name IPv4 ------------------------------------------------------------------------ eth0 external PublicNet (Internet) 162.13.87.197 eth1 work ServiceNet (Rackspace) 10.179.198.73 eth2 internal Infrastructure 192.168.3.1
…and can be achieved with the below commands. Don’t forget to restart firewalld!
firewall-cmd --permanent --zone=external --change-interface=eth0 firewall-cmd --permanent --zone=work --change-interface=eth1 firewall-cmd --permanent --zone=internal --change-interface=eth2 firewall-cmd --reload systemctl restart firewalld
Method 2
With this method we use the --direct option so we can include traditional iptable rules.
Enable IP Forwarding
This step is not needed if you are using the predefined “external” zone provided by firewalld, as masquerade is enabled by default already.
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
To check its enabled.
[root@proxy-bast ~]# sysctl -p net.ipv4.conf.eth0.arp_notify = 1 vm.swappiness = 0 net.ipv4.ip_forward = 1
Configure Static NAT and Forwarding Rules
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING --out-interface eth0 -j SNAT --to 162.13.87.197 firewall-cmd --permanent --direct --passthrough ipv4 --append FORWARD --in-interface eth2 -j ACCEPT firewall-cmd --reload systemctl restart network systemctl restart firewalld
Method 2
Revert back to the tried and tested iptables.
Revert back to Using IPTables
systemctl stop firewalld systemctl disable firewalld iptables-service touch /etc/sysconfig/iptables systemctl start iptables systemctl enable iptables touch /etc/sysconfig/ip6tables systemctl start ip6tables systemctl enable ip6table
Now you can follow the instructions for CentOS 6.6.
Ubuntu 14.04 LTS
In Ubuntu we use the Uncomplicated Firewall (UFW).
Enable IP Forwarding
Use a text editor to open up the below file as root…
nano /etc/default/ufw
…and enable the default forward policy – change to ACCEPT.
DEFAULT_FORWARD_POLICY="
ACCEPT
"
We also need to edit the below…
nano /etc/ufw/sysctl.conf
…and uncomment the following lines.
net/ipv4/ip_forward=1 net/ipv6/conf/default/forwarding=1
Configure Static NAT and Forwarding Rules
As root, open the below file.
nano /etc/ufw/before.rules
From the top, my configuration file looks like the below. I inserted the lines in bold.
# # rules.before # # Rules that should be run before the ufw command line added rules. Custom # rules should be added to one of these chains: # ufw-before-input # ufw-before-output # ufw-before-forward #
# nat Table rules *nat :POSTROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j SNAT –to-source 162.13.87.197 -A PREROUTING -i eth2 -j ACCEPT COMMIT
# Don't delete these required lines, otherwise there will be errors *filter :ufw-before-input - [0:0] :ufw-before-output - [0:0] :ufw-before-forward - [0:0] :ufw-not-local - [0:0] # End required lines # allow all on loopback -A ufw-before-input -i lo -j ACCEPT ...
You will need to restart ufw for the changes to take effect.
ufw disable && sudo ufw enable
For some reason this wiped my SSH rule:
ufw allow ssh ufw reload ufw status verbose
Create Infrastructure Server
Here we spin-up a server connected to our isolated cloud network and no public interface. All communications must go via the proxy-bast server.
supernova uk boot protected --flavor 2 --image 189678ca-fe2c-4b7a-a986-30c3660edfa5 --nic net-id=4d15b8ad-45c5-4169-a4fa-d36f1a776efd --no-service-net --no-public
Configure Internet Gateway
Here we simply need to route the traffic through the proxy bastion. We do this by defining it as our default gateway. We also need to set our DNS servers.
CentOS 6.6
Simplicity!
echo "GATEWAY=192.168.3.1" >> /etc/sysconfig/network echo "nameserver 83.138.151.80" >> /etc/resolv.conf echo "nameserver 83.138.151.81" >> /etc/resolv.conf service network restart
CentOS 7
The default image provided by Rackspace comes with nmcli disabled. As such the process is similar to previous releases.
echo "GATEWAY=192.168.3.1" >> /etc/sysconfig/network echo "nameserver 83.138.151.80" >> /etc/resolv.conf echo "nameserver 83.138.151.81" >> /etc/resolv.conf echo "DNS1=83.138.151.80" >> /etc/sysconfig/network-scripts/ifcfg-eth0 echo "DNS2=83.138.151.81" >> /etc/sysconfig/network-scripts/ifcfg-eth0 systemctl restart network
Ubuntu 14.04 LTS
To define the default gateway, you need to edit the /etc/network/interfaces file.
nano /etc/network/interfaces
Mine looks like this. Make sure to add the gateway.
auto eth0
iface eth0 inet static
address 192.168.3.4
netmask 255.255.255.0
gateway 192.168.3.1
You will need to manually add Rackspaces name servers to your resolv.conf. However on Ubuntu this file is automatically generated. Instead we editing /etc/resolvconf/resolv.conf.d/base and regenerate the file using the resolvconf command.
root@protected:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN root@protected:~# echo "nameserver 83.138.151.80" >> /etc/resolvconf/resolv.conf.d/base root@protected:~# echo "nameserver 83.138.151.81" >> /etc/resolvconf/resolv.conf.d/base root@protected:~# resolvconf -u root@protected:~# cat /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 83.138.151.80 nameserver 83.138.151.81
I needed to reboot for the changes to take effect.
reboot
Related Documents
Rackspace Developer Blog: Supernova: Managing OpenStack Environments Made Easy
Rackspace Knowledge Centre: Using OnMetal Cloud Servers through API
Oracle-Base: Linux Firewall (firewalld, firewall-cmd, firewall-config)
Kevin’s Cheat Sheet: Configure iptables to act as a NAT gateway
Rackspace Developer Blog: Getting Started: Using rackspace-novaclient to manage Cloud Servers
James Rossiter: Forward ports in Ubuntu Server 12.04 using ufw
Ubuntu Documentation: Firewall
Code Ghar: Ubuntu 12.04 IPv4 NAT Gateway and DHCP Server
Linux Gateway: A More Complex Firewall
netfilter.org: Saying How to Mangle the Packets
Ubuntu Documentation: IptablesHowTo
Major.io: Delete single iptables rules
stackexchange.com: How do I set my DNS on Ubuntu 14.04?
thesimplesynthesis.com: How to Set a Static IP and DNS in Ubuntu 14.04
Rackspace Knowledge Centre: Ubuntu – Setup
Rackspace Knowledge Centre: Introduction to iptables
Rackspace Knowledge Centre: Sample iptables ruleset
Ubuntu Geek: Howto add permanent static routes in Ubuntu
NixCraft: Debian / Ubuntu Linux Setting a Default Gateway
Ask Ubuntu: Set up permanent routing (Ubuntu 13.04)
Be the first to comment