Deploy Outbound NAT Gateway on Ubuntu

By | October 29, 2016

Introduction

A common network infrastructure may consist of an private network on an isolated subnet. While there may be no need for incoming connections to access the private network from the outside, there are occasions when you may need servers within the private subnet to make connections to services outside of the subnet or to the public Internet. An example may include downloading a software package, sending backup data to an external location, or applying system updates to servers on the private subnet.

A Linux gateway server with two network interfaces, or NICs, can be used to bridge two networks together. One NIC will connect to an external, or public, network while the other NIC will connect to the private subnet. IP forwarding and a NAT rule are then used to route traffic from the private subnet out to the external network.

The traffic from the internal servers will appear to be originating from the gateway IP address. Externally generated traffic will reach the gateway and have no visibility of the private subnet.

While beyond the scope of this tutorial, the gateway server firewall can be modified to restrict outbound traffic from the subnet.

Requirements

  • Ubuntu 14.10
  • One gateway server with two network interfaces
    • Public NIC: 203.0.113.110
    • Private NIC: 10.0.0.1
  • One or more nodes with one network interface
    • Private NIC: 10.0.0.2

Deploy Infrastructure

The example infrastructure will consist of a single gateway server bridging the public Internet and private subnet.

The primary network interface, eth0, of the gateway will be assigned a public IP address of 203.0.113.110 with a connection to the public Internet through LAN 1. The secondary network interface, eth1, will be assigned an IP address of 10.0.0.1 with a connection to the private network over LAN 2.

A second, internal server, named node1 will reside on the private network on LAN 2 with an IP address of 10.0.0.2. Further internal servers will follow a similar configuration as this server. Here is a diagram from the ProfitBricks Data Center Designer (DCD) of the example infrastructure.

Configure Gateway Primary NIC

By default, the ProfitBricks DCD will dynamically assign the gateway server a public IP address. This is suitable for the tutorial, however, a static public IP address can also be used.

Edit the /etc/network/interfaces file. No changes to eth0 should be necessary unless a static IP address is required. Here are the default settings.

allow-hotplug eth0 iface eth0 inet dhcp

Configure Gateway Secondary NIC

The secondary network interface will need to be assigned a private static IP address. Within the same interfaces file, modify the section for eth1 or create a new section if not present.

allow-hotplug eth1 iface eth1 inet static address 10.0.0.1 netmask 255.255.255.0

The interface will need to be taken offline and brought online for the changes to take affect.

ifdown eth1 && ifup eth1

Configure Internal Server NIC

The internal node1 server will need to be assigned a private static IP address and a gateway IP that matches the private IP address of the outbound gateway. Update eth0 in the /etc/network/interfaces file to include the static IP address, netmask, and gateway.

allow-hotplug eth0 iface eth0 inet static address 10.0.0.2 netmask 255.255.255.0 gateway 10.0.0.1

The network settings will need to be applied (or the server rebooted).

ifdown eth0 && ifup eth0

Enable IP Forwarding

The next step is to enable IPv4 packet forwarding. Edit the /etc/ufw/sysctl.conf file and uncomment the IPv4 ip_forward line.

net/ipv4/ip_forward=1

The same can be done if forwarding is necessary for IPv6 traffic.

net/ipv6/conf/default/forwarding=1

Enable NAT

Enable the firewall forward policy by changing the DEFAULT_FOWARD_POLICY value in /etc/default/ufw.

DEFAULT_FORWARD_POLICY="ACCEPT"

IP masquerading must now be enabled. Edit /etc/ufw/before.rules and add the following NAT rules at the beginning of the file. These lines should be placed before any other rules in the file and after any initial comments.

*nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE COMMIT

If the firewall has not yet been enabled, then add a rule for incoming SSH access and start the firewall.

ufw allow 22/tcp
ufw enable

If the firewall is already enabled, reload the firewall.

ufw disable && ufw enable

The internal node should now be able to access the public Internet through the gateway server. This can tested by pinging an external server from node1.

ping 8.8.8.8
Сomments аrchive