In preparation for an upcoming hackathon, I began working with CentOS as a means to route traffic between two VMware machines: a ParrotOS machine, and a Metasploitable2 machine – both configured on different subnets.
For this tutorial I used the following:
- VMware Workstation 15
- CentOS (Minimal Installation)
CentOS Router Configuration
First, let’s configure the CentOS router to forward traffic between the ParrotOS machine (residing on network 192.168.10.0) and the Metasploitable2 machine (residing on network 192.168.20.0).
It’s important to add the appropriate network adapters before you begin your installation of CentOS, otherwise you will have to manually populate the network adapter interface configuration files from scratch. While possible, it makes for extra work, as you will need to generate and copy the appropriate device UUID information for each adapter.
We will add three network adapters to our CentOS VMware machine before installing.
- 1 NAT Adapter (configured dynamically to provide internet access for the two machines)
- 1 Bridge Adapter (for the 192.168.10.0 subnet)
- 1 Bridge Adapter (for the 192.168.20.0 subnet)
Before we begin, use command ‘ip addr‘ to determine the names of your three adapters. In this tutorial my adapters are named ‘ens33’, ‘ens34’, and ‘ens35’, however, yours will most likely be not.
*Be sure to substitute the correct adapter names for your machine as you encounter mine.
Step One – ens33 (NAT Adapter)
All network adapter configuration files for CentOS can be found within:
We will now edit our NAT adapter, which on my system is named ‘ens33.’ A few items must be changed, as well is there a few to be added.
Your configuration file should look like this:
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=dhcp DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens33 UUID=2e4eb124-bfe2-45de-aca8-9ae3f5fa487b DEVICE=ens33 ONBOOT=yes ZONE=external DNS1=188.8.131.52 DNS2=184.108.40.206
Step Two – ens34 (Bridge Adapter)
Following the same directions as above, now we need to statically configure the first of our two bridge network adapters.
Ensure that the configuration file matches with what is below.
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens34 UUID=b3804ef1-084f-45f3-b352-4bf83ed171ba DEVICE=ens34 ONBOOT=yes IPADDR=192.168.10.1 NETMASK=255.255.255.0 GATEWAY=<IP address of NAT adapter / ens33> ZONE=internal
Note: The gateway is pointing to the IP address of our dynamically assigned NAT adapter. Because of this, you must determine the IP address of your own NAT adapter to insert for ‘GATEWAY.’
Use ‘ip addr‘ or ‘ifconfig‘ to determine.
Step Three – ens35 (Bridge Adapter 2)
TYPE=Ethernet PROXY_METHOD=none BROWSER_ONLY=no BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no IPV6_ADDR_GEN_MODE=stable-privacy NAME=ens35 UUID=fb32b578-7afe-4156-a1f7-b10357512a76 DEVICE=ens35 ONBOOT=yes IPADDR=192.168.20.1 NETMASK=255.255.255.0 GATEWAY=<IP address of NAT adapter / ens33> ZONE=internal
Step Four – Restart Service
sudo systemctl restart network
Step Five – IPv4 Forwarding
Next, we must enable IPv4 forwarding on the CentOS machine.
sudo echo "net.ipv4.ip_forward=1" >> /etc/sysctl.d/ip_forward.conf
To enable, enter the following:
You should be returned by value ‘net.ipv4.ip_forward=1’
sysctl -p /etc/sysctl.d/ip_forward.conf
Step Six – Firewalld Configuration
Next, we will enable some rules for the firewalld service to configure how traffic is forwarded among the different network adapters.
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -I POSTROUTING -o ens33 -j MASQUERADE -s 255.255.255.0/24 firewall-cmd --change-interface=ens33 --zone=external --permanent firewall-cmd --set-default-zone=internal firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o ens35 -i ens34 -j ACCEPT firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -o ens34 -i ens35 -j ACCEPT
Step Seven – Restart Services
Following the above configuration commands, now it is time to reload and restart firewalld‘s configuration and service, as well as networking.
firewall-cmd --complete-reload systemctl restart network && systemctl restart firewalld
Using the following command, check the configuration of both your internal and external firewalld zones.
firewall-cmd --list-all firewall-cmd --list-all --zone=external
Your internal configuration should look like this:
internal (active) target: default icmp-block-inversion: no interfaces: ens34 ens35 sources: services: ssh mdns samba-client dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Note that both bridge adapters should be listed, as well as, masquerade set to ‘no.’
Your external configuration should look like this:
external (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
Guest Machine Configurations
Now, we have our CentOS router configured to provide internet access to all machines on the 192.168.10.0 network, as well as the 192.168.20.0 network. In addition to that I wanted my ParrotOS machine to have full access to the Metasploitable2 machine for the purpose of vulnerability testing, so full IPv4 traffic was enabled between the two machines.
If this changes in the future, I can always reconfigure to block/allow specific ports or services because both machines reside on different networks.
Lastly, the only things left to do are to statically configure the IP addresses of both the ParrotOS machine and the Metasploitable2 machine.
Ensure that you have added a ‘Bridged’ network adapter for the ParrotOS machine within VMware.
Network configuration files for this Debian based machine can be found within the directory:
/etc/network/interfaces.d/<name of adapter>
If a configuration file for your adapter has not been created yet already, you can create your own, ensuring it looks something like this:
sudo vim /etc/network/interfaces.d/eth0
auto eth0 iface eth0 inet static address 192.168.10.101 netmask 255.255.255.0 gateway 192.168.10.1 dns-nameservers 220.127.116.11 18.104.22.168
Now, restart the networking service.
sudo systemctl restart networking
Following the same instructions above (although in Metasploitable, ethernet adapters do not have their own configuration file), we need to now configure our Metasploitable2 Machines.
It should be edited to look something like this:
# The loopback network interface auto lo iface lo inet loopback # eth0 interface auto eth0 iface eth0 inet static address 192.168.20.101 netmask 255.255.255.0 gateway 192.168.20.1 dns-nameservers 22.214.171.124 126.96.36.199
sudo /etc/init.d/networking restart
Your CentOS router, as well as your ParrotOS/Kali and Metasploitable machines should now be configured to not only be able to communicate with one another, but also with the internet if need be.
Be sure to test this configuration by not only pinging from each machine to one another, but by also pinging an external location, such as google.com.
With this basic setup, you have enabled unfettered access between networks 192.168.10 and 192.168.20. In the future you might want to reconfigure firewalld to restrict traffic between those two subnets by ports or services, or even reassign each subnet to its own particular zone.