TOC & Recently Viewed

Recently Viewed Topics

Set up a NAT Gateway


In order for NNMNessus Network Monitor to monitor virtual machine instances in a Google Compute Engine network, NNM must run on a virtual machine instance that functions as a network address translation (NAT) gateway. A NAT gateway instance routes traffic from internal-only virtual machine instances to the Internet. A NNM installed on a NAT gateway has visibility into the hostnames and private IP addresses of the internal virtual machine instances before the NAT gateway masquerades the source IP address of incoming packets to forward them to the Internet.

This guide shows setting up a NAT gateway in a Google Compute Engine legacy network. Network ranges must be adjusted if you're using a subnetwork.

Before You Begin

Follow the instructions on setting up a Google Cloud Platform project.


  1. Create a Compute Engine network to host your virtual machine instances. In this example, the legacy network range used is with a gateway of You can select your own IPv4 range and gateway addresses as needed. You can also create a subnetwork instead.

    If you want to use the default network, you can skip this step and replace gce-network in the examples below with default.

    $ gcloud compute networks create gce-network --range --mode=legacy


    Created [].


    gce-network legacy

    Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all internal traffic between instances as well as SSH, RDP, and ICMP by running:

    $ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp,udp,icmp --source-ranges <IP_RANGE>

    $ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp:22,tcp:3389,icmp

  2. Create firewall rules to allow SSH connections in the new network you just created.

    $ gcloud compute firewall-rules create gce-network-allow-ssh --allow tcp:22 --network gce-network


    Created [].


    gce-network-allow-ssh gce-network  tcp:22

  3. Create firewall rules to allow TCP, UDP, and ICMP traffic within the new network you just created.

    $ gcloud compute firewall-rules create gce-network-allow-internal --allow tcp:1-65535,udp:1-65535,icmp --source-ranges --network gce-network


    Created [].

    NAME                       NETWORK     SRC_RANGES    RULES                        SRC_TAGS TARGET_TAGS

    gce-network-allow-internal gce-network tcp:1-65535,udp:1-65535,icmp

  4. Create a virtual machine instance to act as a NAT gateway on the gce-network or the default network. In this example, a CentOS 6 virtual machine is created.

    Note: If you choose a different image to install on your NAT gateway virtual machine, make sure that it's a platform that NNM supports.

    For the following examples, use the zone name that was chosen when setting up the Google Cloud Platform project.

    $ gcloud compute instances create nat-gateway --network gce-network --can-ip-forward --zone us-east1-b --image centos-6 --tags nat


    Created [].


    nat-gateway us-east1-b n1-standard-1    RUNNING

  5. Tag any virtual machine instances without an external IP address that will use the gateway instance with the tag no-ip, or create a new virtual machine without an external IP address and tag the instance with the no-ip tag.

    # Add tags to an existing instance ...

    $ gcloud compute instances add-tags existing-instance --tags no-ip


    Updated [].

    # Or create a new virtual machine without an external IP address

    $ gcloud compute instances create example-instance --network gce-network --no-address --zone us-east1-b --image centos-6 --tags no-ip


    Created [].


    example-instance us-east1-b n1-standard-1                 RUNNING

  6. Create a route to send traffic destined to the Internet through your gateway instance.

    $ gcloud compute routes create no-ip-internet-route --network gce-network --destination-range --next-hop-instance nat-gateway --next-hop-instance-zone us-east1-b --tags no-ip --priority 800


    Created [].

    NAME                 NETWORK     DEST_RANGE NEXT_HOP                         PRIORITY

    no-ip-internet-route gce-network  us-east1-b/instances/nat-gateway 800

    Setting the priority of this route ensures that this route takes precedence if there are any other conflicting routes. 1000 is the default priority and a value lower than 1000 takes precedent.

  7. Log in to your NAT gateway instance.

    $ gcloud compute ssh nat-gateway --zone us-east1-b

  8. Once logged into your NAT gateway instance, configure iptables.

    user@nat-gateway:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

    user@nat-gateway:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    The first sudo command tells the kernel to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they originated from the NAT gateway instance.

    Tip: Consider saving these commands in a startup script, because these settings will not persist if the instance is rebooted.

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.