VMware ESXi: Setting up NAT with a linux virtual machine

Hi,

other than the Workstation, VMware ESXi does not has the functionality to “NATting” virtual machines network traffic into a public network.

My approach to implement NAT is a virtual machine with a slimmed-down (Debian) Linux.

These virtual machine has two network interfaces. The first interface is connected to a vSwitch called “Public LAN” with access to the public LAN, the second interface is connected to a vSwitch which has no physical adapter attached to and is called “NAT Network”. On the NAT interface a DHCP server is assigning IP Addresses.

Before we can start we have something to define, in braces are the values for my configuration example:

  • IP Parameters for the Public LAN Interface (IP Address: 172.16.10.10, Subnet Mask: 255.255.255.0, Default Gateway: 172.16.10.1)
  • An IP  Address Range for the NAT Clients (Range: 192.168.254.10-192.168.254.100, Subnetmask: 255.255.255.0)
  • IP Address, from the Range of “NAT Clients”, for the NAT Interface (IP Address: 192.168.254.1, Subnet Mask: 255.255.255.0)
  • Locate DNS Servers in your network (DNS 1: 172.31.1.24, DNS 2: 172.31.1.27)
  • If you want to deliver a “primary DNS suffix” to the NAT Clients, identify or define one (Primary DNS suffix: natclients.local)

Create a new virtual machine with 1 CPU and 1GB RAM. This should be enough. Add tw0 e1000 network interfaces. Connect NIC 1 to the “Public LAN” and NIC 2 to the “NAT Network” and install debian with a minimum set of packages (“Standard system utilities” and “ssh-server”)

Minimum Debian package installation
Minimum Debian package installation

Login as User root. Disable respectively remove some system daemon which are not required:

root@debdev:/# update-rc.d -f exim4 remove
root@debdev:/# update-rc.d –f rpcbind  remove
root@debdev:/# update-rc.d -f nfs-common remove

Install the ISC DHCP Server

root@debdev:/# apt-get update
root@debdev:/# apt-get install isc-dhcp-server

Bind the dhcp server only to the interface which is connected to the “NAT Network”, is this example eth1. Edit the file /etc/default/isc-dhcp-server and alter the INTERFACES parameter to

INTERFACES="eth1"

Create a config file /etc/dhcp/dhcpd.conf for the dhcp server.


option domain-name "natclients.local";
option domain-name-servers 172.31.1.24,172.31.1.27;
option ntp-servers 172.31.1.24;
max-lease-time 7200; # 2 hours
default-lease-time 1800;
ddns-update-style none;
subnet 192.168.254.0 netmask 255.255.255.0 {
    option routers 192.168.254.1;
    option broadcast-address 192.168.254.255;
    range 192.168.254.10 192.168.254.100;
    authoritative;
}

Enable NAT by the following command

root@debdev:/# iptables -t nat -A POSTROUTING -m iprange --src-range 192.168.254.10-192.168.254.100 -o eth0 -j MASQUERADE

In order to use NAT you have to enable IP forwarding. Therefore some addional firewall rules are necessary to prevent that someone in the “Public LAN” Subnet can send IP packets directly to the NAT Clients. Only outgoing connections from the NAT Clients are allowed.

root@debdev:/# iptables -A FORWARD -i eth1 -o eth0 -s 192.168.254.0/24 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
root@debdev:/# iptables -A FORWARD -i eth0 -o eth1 -d 192.168.254.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT
root@debdev:/# iptables -P FORWARD DROP

Also drop all dhcp request at the “Public LAN” interface.

root@debdev:/# iptables -A INPUT -i eth0 -p udp --dport 67 -j DROP

Save all the rules to a file

root@debdev:/# iptables-save > /etc/firewall.conf

To load all rules at system startup create a file /etc/network/if-up.d/iptables


#!/bin/sh
iptables-restore 

and make it executable

root@debdev:/# chmod +x /etc/network/if-up.d/iptables

Finally enable ip forwarding. Edit /etc/sysctl.conf. Locate net.ipv4.ip_forward, remove the comment hash and set the option to "1".

net.ipv4.ip_forward=1

Reboot your virtual machine.

Michael

Leave a Reply Cancel reply