Routing IPv4 and IPv6 in KVM with Hetzner as an Example
This article focuses on the proper configuration of IPv4 and IPv6 in network configurations similar to those used in Keta- based Hetzner (also potentially suitable for any other HVM, and for Xen).
Interface configuration examples are based on ifup, since I have Ubuntu on the host and most of the virtual machines. The IPv4 guide is based in some places on an article from the Hetzner Wiki , I mostly google IPv6 issues.
Starting conditions
From this hoster, you immediately get one IPv4 address. In addition to it, you can ask / purchase up to three IPv4 addresses and subnet blocks. In this example, the following configuration will be considered:
Hetzner sends all packets to the MAC address of the first (and usually the only) eth0 interface, and expects all outgoing packets to leave the same MAC address. Through support, you can ask to set other MAC addresses for additional "piece" IP addresses, which allows you to drop the KVM-ok vnet * interfaces into one bridge with eth0, but I will not consider this configuration.
So, what you need to get in the final configuration:
lack of NAT, each VM receives at least one public IP address;
the host does all routing:
traffic between different VMs;
trifik between VM and the Internet;
centrally filters packets in iptables (you can limit the interaction of the VM with each other and the Internet)
IP addresses from the selected subnets are not lost (in the demo subnet, the addresses 123.45.90.112 and 123.45.90.119 cannot be used in the usual way - these are network and broadcast addresses)
To configure the network, you will need the following packages: bridge-utils, dhcp3-server, iptables, iproute2.
Configure the main host interface
In / etc / network / interfaces, it is necessary to describe eth0 as follows: The
mask 255.255.255.255 means that all outgoing packets will go to the gateway, through the pointopoint ifup option it determines that the gateway is technically located on the same interface (where, of course, it doesn’t due to limited mask). This is equivalent to the following routing rules: auto eth0
iface eth0 inet static
address 123.45.12.48
netmask 255.255.255.255
gateway 123.45.12.1
pointopoint 123.45.12.1
123.45.12.1 dev eth0 proto kernel scope link src 123.45.12.48
default via 123.45.12.1 dev eth0 metric 100
Configure bridge for VM
Since the task includes restricting traffic between VMs, they cannot be thrust into one bridge. For each additional IP address and each address from the / 29 subnet, a separate bridge must be described:
Each bridge will be called br auto br112
br112 iface inet static
address 172.30.112.1
netmask 255.255.255.0
pre-up brctl addbr br112
post-up route add -host 123.45.90.112 br112
post-down brctl delbr br112 where xxx is the last byte of the IPv4 address. A private IPv4 address is raised on it from 172.30.xx.0 / 24 (described below); right there, brctl is attached in the interface description (creating a bridge in pre-up, destruction in post-down), and routing is configured (public The IP address is defined on this bridge).
The br11, br12, br13, and br113 – br119 are absolutely identical described.
Configure DHCP
Since pointopoint configuration is difficult during the installation of some OSs, a DHCP server will work on each bridge for the VM, which will provide the basic IPv4 configuration sufficient to complete the installation.
We modify the dhcp3 config in /etc/dhcp3/dhcpd.conf as follows:
We also explain on which interfaces dhcp3 should work: in the file / etc / default / dhcp3-server we change INTERFACES:
Then restart dhcp3: authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style ad-hoc;
log-facility local7;
use-host-decl-names on;
$it -A INPUT -p udp --dport 67 -i br+ -j ACCEPT
# настраиваем другие политики INPUT
#$it -A INPUT -j DROP
# FORWARD
$it -F FORWARD
$it -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
for NET in $MY_NET; do
$it -A FORWARD -i br+ -o $MAIN_IF -s $NET -j ACCEPT # VM[fixed_ip] --> net
done
for NET in $MY_NET_DHCP; do
$it -A FORWARD -i br+ -o $MAIN_IF -s $NET -j ACCEPT # VM[dhcp] --> net
done
for SOURCE_NET in $MY_NET $MY_NET_DHCP; do
for DEST_NET in $MY_NET; do
$it -A FORWARD -i br+ -o br+ -s $SOURCE_NET -d $DEST_NET -j ACCEPT # VM <--> VM
done
done
for NET in $MY_NET; do
$it -A FORWARD -i $MAIN_IF -o br+ -d $NET -j ACCEPT # net --> VM
done
$it -A FORWARD -i $MAIN_IF -o gbr1 -d $MY_NET_PVT -j ACCEPT # net --> PVT
$it -P FORWARD DROP
# POSTROUTING
$it -t nat -F POSTROUTING
for NET in $MY_NET_DHCP; do
$it -t nat -A POSTROUTING -o $MAIN_IF -s $NET -j SNAT --to-source $HOST_IP # nat the dhcp
# NAT для приватных IP-адресов от DHCP
done
echo 1 > / proc/sys/net/ipv4/ip_forward
VM setup
Well, the last step is to directly configure the VM. For libvirt / KVM, we describe the network through the bridge:
In this case, on the initial boot, the virtual machine will receive a private address from DHCP, and after installation it is necessary to fix the public IP on it:
The volume of the article is quite large, so I will write separately about IPv6.