#2 LAVAEL: Deploy ISP VM

In this section, we will deploy a virtual machine (VM) representing an imagined ISP within this lab environment. The purpose of this VM is to perform NAT for all traffic originating from the RFC 5737 address space that is routed to the Internet. Additionally, this VM will host a bind9 service for DNS resolution.

I will use a Vagrantfile to run the VM. You can use the same logic to create a VM based on your hypervisor. The process is identical, but you’ll need to navigate through the graphical interface to set up the CPU, RAM, and networking correctly.

Vagrant.configure("2") do |config|
  config.vm.define "isp" do |isp|
    isp.vm.box = "debian/bullseye64"
    isp.ssh.insert_key = false
    isp.vm.hostname = "isp"
    isp.nfs.verify_installed = false
    isp.vm.synced_folder '.', '/vagrant', disabled: true
    isp.vm.provider :libvirt do |libvirt|
      libvirt.management_network_name = 'lab_access'
      libvirt.management_network_address = '192.168.123.0/24'
      libvirt.cpus = 1
      libvirt.memory = 1024
    end

    isp.vm.network "public_network",
                      bridge: "virbr200",
                      type: "bridge",
                      dev: "virbr200",
                      ip: "192.0.2.14",
                      netmask: "255.255.255.240"
    isp.vm.network "public_network",
                      bridge: "virbr300",
                      type: "bridge",
                      dev: "virbr300",
                      ip: "203.0.113.254",
                      netmask: "255.255.255.0"
    isp.vm.network "public_network",
                      bridge: "virbr400",
                      type: "bridge",
                      dev: "virbr400",
                      ip: "198.51.100.254",
                      netmask: "255.255.255.0"
                      
    isp.vm.provision "shell", privileged: true, inline: <<-SHELL
      echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
      sed -i 's/^#\\?PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config
      systemctl restart sshd
    SHELL
  end
end

Run VM

vagrant up isp

Use SSH to log in to the VM using the IP address displayed during Vagrant VM initialization. Use the default credentials: username root and password vagrant.

Update the apt package index and install bind9:

sudo apt update
sudo apt install -y bind9

Create the zones directory for bind:

sudo mkdir -p /etc/bind/zones

Create DNS configuration files to appropriate locations:

• /etc/bind/zones/db.lab.local

$TTL    604800
@       IN      SOA     ns.lab.local. root.lab.local. (
                           2         ; Serial
                      604800         ; Refresh
                       86400         ; Retry
                     2419200         ; Expire
                      604800 )       ; Negative Cache TTL
;
@       IN      NS      ns.lab.local.
ns      IN      A       192.0.2.14
email   IN      A       198.51.100.50

• /etc/bind/named.conf.local

zone "lab.local" {
    type master;
    file "/etc/bind/zones/db.lab.local";
};

• /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                8.8.8.8;
        };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation no;

        listen-on { any; };
        listen-on-v6 { any; };
};

Restart the bind9 service:

sudo systemctl restart bind9

Enable IP forwarding:

sudo sysctl -w net.ipv4.ip_forward=1

Add IP forwarding to /etc/sysctl.conf:

sudo grep -qxF 'net.ipv4.ip_forward = 1' /etc/sysctl.conf || echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf

Apply the sysctl settings:

sudo sysctl -p

Configure NAT (MASQUERADE):

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Accept forwarded traffic from eth1, eth2, eth3 to eth0:

sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth3 -o eth0 -j ACCEPT

Accept related and established connections from eth0 to eth1, eth2, eth3:

sudo iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth2 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth3 -m state --state RELATED,ESTABLISHED -j ACCEPT

Ensure /etc/iptables directory exists:

sudo mkdir -p /etc/iptables

Save iptables rules:

sudo iptables-save > /etc/iptables/rules.v4

Ensure /etc/network/if-pre-up.d directory exists:

sudo mkdir -p /etc/network/if-pre-up.d

Create iptables restore script:

sudo tee /etc/network/if-pre-up.d/iptables > /dev/null << EOF
#!/bin/sh
iptables-restore < /etc/iptables/rules.v4
EOF

Make the restore script executable:

sudo chmod 0755 /etc/network/if-pre-up.d/iptables