Search for:
Cart 0
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events
Azurehangout
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events

Blog

Azurehangout > Implementation > GNS3 on Azure 03: Configure GNS3 Internet Connectivity

GNS3 on Azure 03: Configure GNS3 Internet Connectivity

access_timeJuly 29, 2018
perm_identity Posted by admin
folder_open Implementation

High-Level Steps
  • Create a TAP interface on the GNS3 server
  • Configure IP forwarding and NAT
  • Configure your lab environment to use the TAP interface
ai. Create TAP interface on the GNS3 server
  • A TAP interface is a virtual network interface
    • Documentation → Release Notes → v2.0
  • On GNS3 Server
    • Create and configure tap interface (non persistent)
apt-get install uml-utilities
tunctl -t tap1
ifconfig tap1 192.168.1.254 netmask 255.255.255.0 up
    • To make persistent after a reboot
    • Add the following to crontab
crontab -e
  • Add the following to crontab
@reboot /usr/sbin/tunctl -t tap1 /sbin/ifconfig tap1 192.168.1.254 netmask 255.255.255.0 up
aii. Configure IP forwarding and NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
  • to create IPTables firewall rules to perform NAT and forward the packets through the interface specified after “-o” (eth0 – using its public IP address).
  • The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0). 
    • Keep in mind that the order of your rules matter. All of these iptables commands use the -A option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I option which allows you to specify the position of the new rule (or simply place it at the beginning of the chain by not specifying a rule number).
  • POSTROUTING allows packets to be altered as they are leaving the firewall’s external device. 
  • The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
  • To be more specific, we can use the following command
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -i tap1 -j ACCEPT
  • To allow FORWARDING or ROUTING on this interface
  • The FORWARD policy allows an administrator to control where packets can be routed within a LAN
  • This specifies that packets can be routed to the “tap1” interface
iptables -A INPUT -i tap1 -j ACCEPT
  • To accept all traffic on your TAP interface
iptables -A FORWARD -i eth0 -j ACCEPT
  • To allow FORWARDING or ROUTING on this interface
iptables -A INPUT -i eth0 -j ACCEPT
  • To accept all traffic on your eth0 interface
    • Save the firewall rules
      • On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like below. During the installation, you will asked if you want to save your current firewall rules.
sudo apt-get install iptables-persistent
  • If you update your firewall rules and want to save the changes, run this command:
sudo netfilter-persistent save
** IP Tables explanation
  • sudo iptables -S
  • sudo iptables -L
  • Excellent documentations on IPTABLES
    • https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/4/html/Security_Guide/s1-firewall-ipt-fwd.html
    • https://www.digitalocean.com/community/tutorials/iptables-essentials-common-firewall-rules-and-commands
    • https://www.howtogeek.com/177621/the-beginners-guide-to-iptables-the-linux-firewall/
    • https://help.ubuntu.com/community/IptablesHowTo
  • Enter the following commands to create IPTables firewall rules to perform NAT and forward the packets from the interface specified after “-i” through the interface specified after “-o”.
  • Replace wlan0 with the interface on the physical computer which connects to the internet it could be ppp0 or br0 or something else. Ensure the IPTables rules persist, if you want to ensure the tap0 interface persists a reboot create a cron job to add it when Linux starts up.
aiii. Enable IP forwarding
  • By default, the IPv4 policy in many Linux kernels disables support for IP forwarding, which prevents boxes running Linux from functioning as dedicated edge routers. Because of our use case, we’ll need to enable this by running the following command:
sysctl -w net.ipv4.ip_forward=1
  • If the above command is run via shell prompt, then the setting is not remembered after a reboot. You can permanently set forwarding by editing the /etc/sysctl.conf file
      • To make persistent
vim /etc/sysctl.conf
Uncomment net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf
  • IPv4 forwarding has to be enabled at kernel level so use the following command.
echo 1 > /proc/sys/net/ipv4/ip_forward
aiv. In GNS3 client
  • Add a cloud object and connect to switch
  • Configure the default gateway of your clients to be TAP interface IP
SHARE THIS:
Tags: azuregns3networkingsecuritysophos
Newer GNS3 on Azure 02: Use Sophos Appliances in GNS3
Older Deploy Azure Stack On An Azure VM (Part 1)

1 Comment

Join the discussion and tell us your opinion.

  • Tim says:
    May 15, 2019 at 7:49 pm

    Pretty cool, Ip fails kernel level so did not work for me but in theory it should. I just better directions with linux as I am not as familiar. Permission denied is the last error of the last line, sudo or not.

    Reply

Leave a Reply Cancel reply

Recent Posts
  • Azure Logging/Auditing Series (1) – Activity Logs
  • Blind spot fixed! Azure AD new sign-in logs improvement
  • Infrastructure as Code Security for Azure (Part 2) – ARM Template Test Toolkit (ARM-TTK)
  • Infrastructure as Code Security for Azure (Part 1) – Secure DevOps Kit for Azure (AzSK) ARM Template Checker
  • Azure Blue Team Series: Securing Azure Service Bus
Tweets by asegunlolu
Categories
  • Architecture
  • Automation
  • Azure Security
  • DevOps
  • Implementation
  • Uncategorized
Tags
20535 70535 administrator architecture arm az-100 az-103 az-300 azure azure announcements azure billing azure hangout azure security azure stack azure updates certification cloud security cost demo devops exam gns3 hybrid cloud iac ignite implementation lab microsoft azure networking network security reviews security sophos storage
Recent Comments
  • Tim on GNS3 on Azure 03: Configure GNS3 Internet Connectivity
Quick Links
  • About Me
  • Hangout Videos
  • Implementation
  • Architecture
  • Automation
  • DevOps
  • Events
Newsletter

Don’t miss anything, sign up now and keep informed about our company.

© 2021 Azurehangout. All rights reserved
keyboard_arrow_up