rtmoran.org — Cybersecurity and Linux Resource

CentOS Router: Configuration in Vmware

In preparation for an upcoming hackathon, I began working with CentOS as a means to route traffic between two VMware machines: a ParrotOS machine, and a Metasploitable2 machine – both configured on different subnets.

For this tutorial I used the following:

  • VMware Workstation 15
  • ParrotOS
  • Metasploitable2
  • CentOS (Minimal Installation)

CentOS Router Configuration

First, let’s configure the CentOS router to forward traffic between the ParrotOS machine (residing on network 192.168.10.0) and the Metasploitable2 machine (residing on network 192.168.20.0).

It’s important to add the appropriate network adapters before you begin your installation of CentOS, otherwise you will have to manually populate the network adapter interface configuration files from scratch.  While possible, it makes for extra work, as you will need to generate and copy the appropriate device UUID information for each adapter.

We will add three network adapters to our CentOS VMware machine before installing.

  • 1 NAT Adapter (configured dynamically to provide internet access for the two machines)
  • 1 Bridge Adapter (for the 192.168.10.0 subnet)
  • 1 Bridge Adapter (for the 192.168.20.0 subnet)

Before we begin, use command ‘ip addr‘ to determine the names of your three adapters.  In this tutorial my adapters are named ‘ens33’, ‘ens34’, and ‘ens35’, however, yours will most likely be not.

*Be sure to substitute the correct adapter names for your machine as you encounter mine.

Step One – ens33 (NAT Adapter)

All network adapter configuration files for CentOS can be found within:

/etc/sysconfig/network-scripts/ifcfg-<adapter name>

We will now edit our NAT adapter, which on my system is named ‘ens33.’  A few items must be changed, as well is there a few to be added.

vim /etc/sysconfig/network-scripts/ifcfg-ens33

Your configuration file should look like this:

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=2e4eb124-bfe2-45de-aca8-9ae3f5fa487b
DEVICE=ens33
ONBOOT=yes
ZONE=external
DNS1=8.8.8.8
DNS2=8.8.4.4

Step Two – ens34 (Bridge Adapter)

Following the same directions as above,  now we need to statically configure the first of our two bridge network adapters.

vim /etc/sysconfig/network-scripts/ifcfg-ens34

Ensure that the configuration file matches with what is below.

TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens34
UUID=b3804ef1-084f-45f3-b352-4bf83ed171ba
DEVICE=ens34
ONBOOT=yes
IPADDR=192.168.10.1
NETMASK=255.255.255.0
GATEWAY=<IP address of NAT adapter / ens33>
ZONE=internal

Note: The gateway is pointing to the IP address of our dynamically assigned NAT adapter.  Because of this, you must determine the IP address of your own NAT adapter to insert for ‘GATEWAY.’

Use ‘ip addr‘ or ‘ifconfig‘ to determine.

Step Three – ens35 (Bridge Adapter 2)

vim /etc/sysconfig/network-scripts/ifcfg-ens35
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens35
UUID=fb32b578-7afe-4156-a1f7-b10357512a76
DEVICE=ens35
ONBOOT=yes
IPADDR=192.168.20.1
NETMASK=255.255.255.0
GATEWAY=<IP address of NAT adapter / ens33>
ZONE=internal

Step Four – Restart Service

sudo systemctl restart network

Step Five – IPv4 Forwarding

Next, we must enable IPv4 forwarding on the CentOS machine.

sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf

To enable, enter the following:
You should be returned by value ‘net.ipv4.ip_forward=1’

sysctl -p /etc/sysctl.d/ip_forward.conf

Step Six – Firewalld Configuration

Next, we will enable some rules for the firewalld service to configure how traffic is forwarded among the different network adapters.

firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens33 -j MASQUERADE -s 255.255.255.0/24
firewall-cmd --change-interface=ens33 --zone=external --permanent
firewall-cmd --set-default-zone=internal
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o ens35 -i ens34 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o ens34 -i ens35 -j ACCEPT

Step Seven – Restart Services

Following the above configuration commands, now it is time to reload and restart firewalld‘s configuration and service, as well as networking.

firewall-cmd --complete-reload
systemctl restart network && systemctl restart firewalld

Using the following command, check the configuration of both your internal and external firewalld zones.

firewall-cmd --list-all
firewall-cmd --list-all --zone=external

Your internal configuration should look like this:

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens34 ens35
  sources: 
  services: ssh mdns samba-client dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Note that both bridge adapters should be listed, as well as, masquerade set to ‘no.’

Your external configuration should look like this:

external (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: ssh
  ports: 
  protocols: 
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Guest Machine Configurations

Now, we have our CentOS router configured to provide internet access to all machines on the 192.168.10.0 network, as well as the 192.168.20.0 network.  In addition to that I wanted my ParrotOS machine to have full access to the Metasploitable2 machine for the purpose of vulnerability testing, so full IPv4 traffic was enabled between the two machines. 

If this changes in the future, I can always reconfigure to block/allow specific ports or services because both machines reside on different networks.

Lastly, the only things left to do are to statically configure the IP addresses of both the ParrotOS machine and the Metasploitable2 machine.

ParrotOS Configuration

Ensure that you have added a ‘Bridged’ network adapter for the ParrotOS machine within VMware.

Network configuration files for this Debian based machine can be found within the directory:
     
       /etc/network/interfaces.d/<name of adapter>

If a configuration file for your adapter has not been created yet already, you can create your own, ensuring it looks something like this:

sudo vim /etc/network/interfaces.d/eth0
auto eth0
iface eth0 inet static
	address 192.168.10.101
	netmask 255.255.255.0
	gateway 192.168.10.1
	dns-nameservers 8.8.8.8 8.8.4.4

Now, restart the networking service.

sudo systemctl restart networking

Metasploitable2 Configuration

Following the same instructions above (although in Metasploitable, ethernet adapters do not have their own configuration file), we need to now configure our Metasploitable2 Machines.

vim /etc/network/interfaces

It should be edited to look something like this:

# The loopback network interface
auto lo
iface lo inet loopback

# eth0 interface
auto eth0
iface eth0 inet static
	address 192.168.20.101
	netmask 255.255.255.0
	gateway 192.168.20.1
	dns-nameservers 8.8.8.8 8.8.4.4

Restart service:

sudo /etc/init.d/networking restart

Final Thoughts

Your CentOS router, as well as your ParrotOS/Kali and Metasploitable machines should now be configured to not only be able to communicate with one another, but also with the internet if need be.

Be sure to test this configuration by not only pinging from each machine to one another, but by also pinging an external location, such as google.com.

With this basic setup, you have enabled unfettered access between networks 192.168.10 and 192.168.20.  In the future you might want to reconfigure firewalld to restrict traffic between those two subnets by ports or services, or even reassign each subnet to its own particular zone.

Leave a Reply

Your email address will not be published. Required fields are marked *