I got up early to get some work done before driving down to KY to work with a customer on their VDI pilot. As I was preparing for the meeting, I thought to myself, “wow with my studies for the VCDX admin exam, and the recently launch of vSphere, I haven’t done a whole lot of VDI recently.” And then BAM! It hit me like a ton of bricks. I haven’t completed the E.T.D.F series I started almost 6 months ago! If this blog has done anything for me, it has made me painfully aware of my numerous character flaws. <sniffle><tear><sniffle>
Anyway, not that anyone is following along anymore, and purely in the interest of self improvement, I’m determined to finish what I’ve started (both for this series and my VCDX study notes series). So without further delay, here is the second part of the networking section (here is part one). And for your convenience, here again is the Visio diagram of my lab.
Router / Firewall (cincylab-rtr1)
In my environment, the vast majority of all relevant network configurations are on cincylab-rtr1, which is really an old Gateway PC that I had lying around with a single 2.2GHz processor and 1Gig of RAM and a single 100Mbps NIC. I installed Ubuntu server 8.04.1 (kernel 2.6.24-19-server) on it and made it the gateway between my lab and the DMZ (aka, my home network).
The first thing I needed to do was get the basic networking on the server set up. I have three networks in my house …
- An external DMZ, VLAN 192 (aka, my home network)
- An internal “production” network, VLAN 10. I put the word production in bunny ears because nothing is *really* production … it’s all just a lab. But I try to protect this network a little more than the next.
- An internal “lab” network. This is where I can really have fun!
Configuring the Interface(s)
The server only has one NIC and I was too lazy (and cheap) to go buy a new one. But it’s a 1GigE card, which is plenty for my environment. And it’s a snap to configure …
root@cincylab-rtr1:/etc/network# more interfaces
iface lo inet loopback
iface vlan192 inet static
iface vlan10 inet static
iface vlan10:1 inet static
Turn on Routing
Now that the interfaces are configured, we need to turn on routing. In Linux, this can be accomplished a couple different ways. The easies, IMHO, is to simply edit the /etc/sysctl.conf file and set net.ipv4.ip_forward=1. You could also add echo 1 > /proc/sys/net/ipv4/ip_forward to your /etc/rc.local file. Either way should turn on IPv4 routing on your server.
Configure NAT and PAT (Port Address Translation)
Once routing is turned on, we need to set up Network Address translation and Port Address Translation. This needs to be done for two reasons.
- My lab networks need outside access to the Internet and they have private IP addresses.
- My server has a single IP address in the DMZ, which needs to serve as the gateway IP for multiple internal IP’s and TCP/UDP ports. As an example, I want all traffic arriving on 192.168.9.25, TCP port 8080 to be forwarded to the internal IP 10.10.8.51 port 80. And more specifically, here’s what I want available to the outside world …
- 192.168.9.25:8080 –> 10.10.7.51:80
- 192.168.9.25:8181 –> 10.10.7.51:443
- 192.168.9.25:8282 –> 10.10.7.50:80
- 192.168.9.25:8383 –> 10.10.7.50:443
OK, so how do we do this? We need configure iptables. An iptables tutorial is out of scope for this post, but if you’d like to learn more about Linux IP tables, I personally like this one: http://www.yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html.
To set up iptables, I’ve created a file called fw_rules in /usr/local/bin and made it executable (chmod +x /usr/local/bin/fw_rules). Here is what the file looks like.
root@cincylab-rtr1:/usr/local/bin# cat fw_rules
iptables -t nat -F
iptables -t filter -F
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8080 -j DNAT –to 10.10.7.51:80
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8181 -j DNAT –to 10.10.7.51:443
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8282 -j DNAT –to 10.10.7.50:80
iptables -t nat -A PREROUTING -p tcp -i vlan192 -d 192.168.9.25 –dport 8383 -j DNAT –to 10.10.7.50:443
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD ACCEPT
To make these changes persistent across reboots, you’ll need to add /usr/local/bin/fw_rules to your /etc/rc.local file.
Now, for all you linux experts out there looking at this file, you’re probably saying “uh, that’s a pretty insecure firewall you got there!.” And you’d be right Remember, this is merely an internal firewall/router which is protected by a much more secure, Internet facing, Cisco ASA (thanks again to the local Cisco team!!). It’s also this Cisco that forwards outside connections on specific ports (not 8080, 8181, and 8282, for additional security) to IP 192.168.9.25. And because of this, my goal for this server isn’t to protect, but to separate my lab networks from my home network, and proxy the connections between them.
We’ve configured our networks, turned on routing and configured NAT / PAT on our server. What next? Three things:
- Because my external IP is dynamic, we need to set up a script that will periodically check to see if our external IP has changed and, if so, update our dynamic DNS service.
- Configure DHCP and DNS.
- Set up external VPN access.
Step three is actually optional because when we’re done, we’ll be able to tunnel via SSL to our desktop. And from our desktop, we’ll have full access to the local LAN. But sometimes full remote access via VPN is nice without being forced to first “hop” to another desktop. So, I’ll include my VPN configuration as well.
But for now, it looks like I’m going to need have a part three of this “setting up the network and dedicated remote access” section, because I need to get on the road down to KY. But if you’re interested, look for part three later today. I’m almost done with it and will try to finish it during my lunch break.