GNS3 on Azure 03: Configure GNS3 Internet Connectivity

Share This Post

High-Level Steps

Create a TAP interface on the GNS3 server
Configure IP forwarding and NAT
Configure your lab environment to use the TAP interface

ai. Create TAP interface on the GNS3 server

A TAP interface is a virtual network interface
- Documentation → Release Notes → v2.0
On GNS3 Server
- Create and configure tap interface (non persistent)

[code language=”bash”]
apt-get install uml-utilities
tunctl -t tap1
ifconfig tap1 192.168.1.254 netmask 255.255.255.0 up
[/code]

- To make persistent after a reboot
- Add the following to crontab

[code language=”bash”]
crontab -e
[/code]

Add the following to crontab

[code language=”bash”]
@reboot /usr/sbin/tunctl -t tap1 /sbin/ifconfig tap1 192.168.1.254 netmask 255.255.255.0 up
[/code]

aii. Configure IP forwarding and NAT

[code language=”bash”]
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
[/code]

to create IPTables firewall rules to perform NAT and forward the packets through the interface specified after “-o” (eth0 – using its public IP address).
The rule uses the NAT packet matching table (-t nat) and specifies the built-in POSTROUTING chain for NAT (-A POSTROUTING) on the firewall’s external networking device (-o eth0).
- Keep in mind that the order of your rules matter. All of these iptables commands use the -A option to append the new rule to the end of a chain. If you want to put it somewhere else in the chain, you can use the -I option which allows you to specify the position of the new rule (or simply place it at the beginning of the chain by not specifying a rule number).
POSTROUTING allows packets to be altered as they are leaving the firewall’s external device.
The -j MASQUERADE target is specified to mask the private IP address of a node with the external IP address of the firewall/gateway.
To be more specific, we can use the following command

[code language=”bash”]
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE
iptables -A FORWARD -i tap1 -j ACCEPT
[/code]

To allow FORWARDING or ROUTING on this interface
The FORWARD policy allows an administrator to control where packets can be routed within a LAN
This specifies that packets can be routed to the “tap1” interface

[code language=”bash”]
iptables -A INPUT -i tap1 -j ACCEPT
[/code]

To accept all traffic on your TAP interface

[code language=”bash”]
iptables -A FORWARD -i eth0 -j ACCEPT
[/code]

To allow FORWARDING or ROUTING on this interface

[code language=”bash”]
iptables -A INPUT -i eth0 -j ACCEPT
[/code]

To accept all traffic on your eth0 interface

- Save the firewall rules
  - On Ubuntu, the easiest way to save iptables rules, so they will survive a reboot, is to use the iptables-persistent package. Install it with apt-get like below. During the installation, you will asked if you want to save your current firewall rules.

[code language=”bash”]
sudo apt-get install iptables-persistent
[/code]

If you update your firewall rules and want to save the changes, run this command:

[code language=”bash”]
sudo netfilter-persistent save
[/code]

** IP Tables explanation

sudo iptables -S
sudo iptables -L
Excellent documentations on IPTABLES
Enter the following commands to create IPTables firewall rules to perform NAT and forward the packets from the interface specified after “-i” through the interface specified after “-o”.
Replace wlan0 with the interface on the physical computer which connects to the internet it could be ppp0 or br0 or something else. Ensure the IPTables rules persist, if you want to ensure the tap0 interface persists a reboot create a cron job to add it when Linux starts up.

aiii. Enable IP forwarding

By default, the IPv4 policy in many Linux kernels disables support for IP forwarding, which prevents boxes running Linux from functioning as dedicated edge routers. Because of our use case, we’ll need to enable this by running the following command:

[code language=”bash”]
sysctl -w net.ipv4.ip_forward=1
[/code]

If the above command is run via shell prompt, then the setting is not remembered after a reboot. You can permanently set forwarding by editing the /etc/sysctl.conf file
- - To make persistent

[code language=”bash”]
vim /etc/sysctl.conf
Uncomment net.ipv4.ip_forward=1
sysctl -p /etc/sysctl.conf
[/code]

IPv4 forwarding has to be enabled at kernel level so use the following command.

[code language=”bash”]
echo 1 > /proc/sys/net/ipv4/ip_forward
[/code]

aiv. In GNS3 client

Add a cloud object and connect to switch
Configure the default gateway of your clients to be TAP interface IP

Subscribe To Our Newsletter

Get updates and learn from the best

More To Explore

Uncategorized

New Azure Container Instance Vulnerability — What to do?

Just yesterday, Microsoft disclosed a new (and yet to be clarified) Azure Container Instance vulnerability — https://msrc-blog.microsoft.com/2021/09/08/coordinated-disclosure-of-vulnerability-in-azure-container-instances-service/. From the information shared in the disclosure, it seems

David Okeyode September 9, 2021

Protecting against #ChaosDB

Cloud security researchers @sagitz and @nirohfeld who both work at Wiz recently discovered what I think is a major vulnerability that exploits the recent CosmosDB Jupyter notebook feature to

David Okeyode August 27, 2021