You are here: Cloud Platforms > Google Cloud Platform > Set up a NAT Gateway

Set up a NAT Gateway

Introduction

In order for PVSPassive Vulnerability Scanner to monitor virtual machine instances in a Google Compute Engine network, PVS must run on a virtual machine instance that functions as a network address translation (NAT) gateway. A NAT gateway instance routes traffic from internal-only virtual machine instances to the Internet. A PVS installed on a NAT gateway has visibility into the hostnames and private IP addresses of the internal virtual machine instances before the NAT gateway masquerades the source IP address of incoming packets to forward them to the Internet.

This guide shows setting up a NAT gateway in a Google Compute Engine legacy network. Network ranges must be adjusted if you're using a subnetwork.

Before You Begin

Follow the instructions on setting up a Google Cloud Platform project.

Steps

  1. Create a Compute Engine network to host your virtual machine instances. In this example, the legacy network range used is 10.240.0.0/16 with a gateway of 10.240.0.1. You can select your own IPv4 range and gateway addresses as needed. You can also create a subnetwork instead.

    If you want to use the default network, you can skip this step and replace gce-network in the examples below with default.

    $ gcloud compute networks create gce-network --range 10.240.0.0/16 --mode=legacy

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/global/networks/gce-network].

    NAME        MODE   IPV4_RANGE    GATEWAY_IPV4

    gce-network legacy 10.240.0.0/16 10.240.0.1

    Instances on this network will not be reachable until firewall rules are created. As an example, you can allow all internal traffic between instances as well as SSH, RDP, and ICMP by running:

    $ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp,udp,icmp --source-ranges <IP_RANGE>

    $ gcloud compute firewall-rules create <FIREWALL_NAME> --network gce-network --allow tcp:22,tcp:3389,icmp

  2. Create firewall rules to allow SSH connections in the new network you just created.

    $ gcloud compute firewall-rules create gce-network-allow-ssh --allow tcp:22 --network gce-network

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/global/firewalls/gce-network-allow-ssh].

    NAME                  NETWORK     SRC_RANGES RULES   SRC_TAGS TARGET_TAGS

    gce-network-allow-ssh gce-network 0.0.0.0/0  tcp:22

  3. Create firewall rules to allow TCP, UDP, and ICMP traffic within the new network you just created.

    $ gcloud compute firewall-rules create gce-network-allow-internal --allow tcp:1-65535,udp:1-65535,icmp --source-ranges 10.240.0.0/16 --network gce-network

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/global/firewalls/gce-network-allow-internal].

    NAME                       NETWORK     SRC_RANGES    RULES                        SRC_TAGS TARGET_TAGS

    gce-network-allow-internal gce-network 10.240.0.0/16 tcp:1-65535,udp:1-65535,icmp

  4. Create a virtual machine instance to act as a NAT gateway on the gce-network or the default network. In this example, a CentOS 6 virtual machine is created.

    Note: If you choose a different image to install on your NAT gateway virtual machine, make sure that it's a platform that PVS supports.

    For the following examples, use the zone name that was chosen when setting up the Google Cloud Platform project.

    $ gcloud compute instances create nat-gateway --network gce-network --can-ip-forward --zone us-east1-b --image centos-6 --tags nat

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/zones/us-east1-b/instances/nat-gateway].

    NAME        ZONE       MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP    EXTERNAL_IP     STATUS

    nat-gateway us-east1-b n1-standard-1             10.240.0.2     104.xxx.xxx.xxx RUNNING

  5. Tag any virtual machine instances without an external IP address that will use the gateway instance with the tag no-ip, or create a new virtual machine without an external IP address and tag the instance with the no-ip tag.

    # Add tags to an existing instance ...

    $ gcloud compute instances add-tags existing-instance --tags no-ip

     

    Updated [https://www.googleapis.com/compute/v1/projects/pvs-example-project/zones/us-east1-b/instances/existing-instance].

    # Or create a new virtual machine without an external IP address

    $ gcloud compute instances create example-instance --network gce-network --no-address --zone us-east1-b --image centos-6 --tags no-ip

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/zones/us-east1-b/instances/example-instance].

    NAME             ZONE       MACHINE_TYPE  PREEMPTIBLE INTERNAL_IP EXTERNAL_IP STATUS

    example-instance us-east1-b n1-standard-1             10.240.0.3              RUNNING

  6. Create a route to send traffic destined to the Internet through your gateway instance.

    $ gcloud compute routes create no-ip-internet-route --network gce-network --destination-range 0.0.0.0/0 --next-hop-instance nat-gateway --next-hop-instance-zone us-east1-b --tags no-ip --priority 800

     

    Created [https://www.googleapis.com/compute/v1/projects/pvs-example-project/global/routes/no-ip-internet-route].

    NAME                 NETWORK     DEST_RANGE NEXT_HOP                         PRIORITY

    no-ip-internet-route gce-network 0.0.0.0/0  us-east1-b/instances/nat-gateway 800

    Setting the priority of this route ensures that this route takes precedence if there are any other conflicting routes. 1000 is the default priority and a value lower than 1000 takes precedent.

  7. Log in to your NAT gateway instance.

    $ gcloud compute ssh nat-gateway --zone us-east1-b

  8. Once logged into your NAT gateway instance, configure iptables.

    user@nat-gateway:~$ sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"

    user@nat-gateway:~$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    The first sudo command tells the kernel to allow IP forwarding. The second sudo command masquerades packets received from internal instances as if they originated from the NAT gateway instance.

    Tip: Consider saving these commands in a startup script, because these settings will not persist if the instance is rebooted.

Copyright © 2017. Tenable Network Security, Inc. All rights reserved. Tenable Network Security, Nessus, SecurityCenter Continuous View, Passive Vulnerability Scanner, and Log Correlation Engine are registered trademarks of Tenable Network Security, Inc. All other products or services are trademarks of their respective owners.