Rohtim IPv4 and IPv6 in KVM on the example of Hetzner

This article focuses on how to properly configure IPv4 and IPv6 in network configurations, similar to those used in KVM-based Hetzner (also potentially suitable for any other HVM, and for Xen).

Interface configuration examples are based on ifup, since I have Ubuntu on the host and most of the virtual machines. The IPv4 guide is based in some places on an article from the Hetzner Wiki ; I mostly asked Google about IPv6.

')

Starting conditions

With this hoster, you immediately get one IPv4 address. In addition to it, you can ask / purchase up to three IPv4 addresses and blocks of subnets. In this example, the following configuration will be considered:

Host IP: 123.45.12.48
Gateway: 123.45.12.1
Additional IP: 123.45.53.11 , 123.45.53.12 , 123.45.53.13
Additional subnet: 123.45.90.112/29

Hetzner sends all packets to the MAC address of the first (and, usually, only) eth0 interface, and expects all outgoing packets to leave the same MAC address. Through the support, you can ask to put other MAC addresses for additional “piece -by- piece” IP addresses, which allows you to throw the Kvm-ok Vnet * interfaces in one bridge with eth0, but I will not consider this configuration.

So, what you need to get in the final configuration:

• no NAT, each VM gets at least one public IP address;
• the host is doing all the routing:
  
  • traffic between different VMs;
  • trifik between VM and the Internet;
  • centrally filters packets in iptables (you can limit the interaction of VM with each other and the Internet)
• IP addresses from the assigned subnets are not lost (in the demonstration subnet, the addresses 123.45.90.112 and 123.45.90.119 cannot be used in the usual way - these are network and broadcast addresses)

To configure the network, you will need the following packets: bridge-utils, dhcp3-server, iptables, iproute2.

We configure the main interface of a host

In / etc / network / interfaces, you must describe eth0 as follows:
auto eth0
iface eth0 inet static
address 123.45.12.48
netmask 255.255.255.255
gateway 123.45.12.1
pointopoint 123.45.12.1
The mask 255.255.255.255 means that all outgoing packets will go to the gateway, using the pointopoint ifup option determines that the gateway is technically on the same interface (where it is, of course, otherwise not due to the limited mask). This is equivalent to the following routing rules:
123.45.12.1 dev eth0 proto kernel scope link src 123.45.12.48
default via 123.45.12.1 dev eth0 metric 100

We configure on the bridge for VM

Since the task is to restrict traffic between VMs, they cannot be thrust into one bridge. For each additional IP address and each address from the / 29 subnet, a separate bridge must be described:
auto br 112
br 112 iface inet static
address 172.30. 112 .1
netmask 255.255.255.0
pre-up brctl addbr br 112
post-up route add -host 123.45.90.112 br112
post-down brctl delbr br 112
Each bridge will be called br <xxx>, where xxx is the last byte of the IPv4 address. On it, the private IPv4 address from 172.30.xx.0 / 24 rises (why it is necessary - described later), the brctl is attached in the interface description (creating a bridge to the pre-up, destruction in the post-down), and the routing is configured (public The IP address is determined on this bridge).

The br 11 , br 12 , br 13 , and br 113 –br 119 are described exactly the same.

Configuring DHCP

Since the pointopoint configuration is difficult during the installation of some OSs, a DHCP server will be running on each bridge for the VM, which will provide a basic IPv4 configuration sufficient to complete the installation.

We modify the dhcp3 config in /etc/dhcp3/dhcpd.conf as follows:
authoritative;
default-lease-time 3600;
max-lease-time 3600;
ddns-update-style ad-hoc;
log-facility local7;
use-host-decl-names on;

option subnet-mask 255.255.255.0;
option domain-name "lan";
option domain-name-servers xx.yy.100.100, xx.yy.99.99, xx.yy.98.98; <-- DNS–

subnet 172.30.11.0 netmask 255.255.255.0 {
option routers 172.30.11.1;
range 172.30.11.10 172.30.11.200;
}

subnet 172.30.12.0 netmask 255.255.255.0 {
option routers 172.30.12.1;
range 172.30.12.10 172.30.12.200;
}

subnet 172.30.13.0 netmask 255.255.255.0 {
option routers 172.30.13.1;
range 172.30.13.10 172.30.13.200;
}

subnet 172.30.112.0 netmask 255.255.255.0 {
option routers 172.30.112.1;
range 172.30.112.10 172.30.112.200;
}

...

subnet 172.30.119.0 netmask 255.255.255.0 {
option routers 172.30.119.1;
range 172.30.119.10 172.30.119.200;
}


We also explain on which interfaces dhcp3 should work: in the / etc / default / dhcp3-server file, we change INTERFACES:
INTERFACES="br11 br12 br13 br112 br113 br114 br115 br116 br117 br118 br119"

Then restart dhcp3:
/etc/init.d/dhcp3-server restart

Iptables configuration

#!/bin/sh
it="/sbin/iptables"

MY_NET=" 123.45.90.112/29 123.45.53.11/32 123.45.53.12/32 123.45.53.13/32 "
MY_NET_DHCP="172.30.0.0/16"
HOST_IP=" 123.45.12.48 "
MAIN_IF="eth0"

# INPUT
$it -F INPUT

$it -A INPUT -p udp --dport 67 -i br+ -j ACCEPT
# INPUT
#$it -A INPUT -j DROP

# FORWARD
$it -F FORWARD

$it -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

for NET in $MY_NET; do
$it -A FORWARD -i br+ -o $MAIN_IF -s $NET -j ACCEPT # VM[fixed_ip] --> net
done

for NET in $MY_NET_DHCP; do
$it -A FORWARD -i br+ -o $MAIN_IF -s $NET -j ACCEPT # VM[dhcp] --> net
done

for SOURCE_NET in $MY_NET $MY_NET_DHCP; do
for DEST_NET in $MY_NET; do
$it -A FORWARD -i br+ -o br+ -s $SOURCE_NET -d $DEST_NET -j ACCEPT # VM <--> VM
done
done

for NET in $MY_NET; do
$it -A FORWARD -i $MAIN_IF -o br+ -d $NET -j ACCEPT # net --> VM
done
$it -A FORWARD -i $MAIN_IF -o gbr1 -d $MY_NET_PVT -j ACCEPT # net --> PVT

$it -P FORWARD DROP

# POSTROUTING
$it -t nat -F POSTROUTING
for NET in $MY_NET_DHCP; do
$it -t nat -A POSTROUTING -o $MAIN_IF -s $NET -j SNAT --to-source $HOST_IP # nat the dhcp
# NAT IP- DHCP
done

echo 1 > / proc/sys/net/ipv4/ip_forward


VM setup

Well, the last step - to directly configure the VM. For libvirt / KVM we describe the network through the bridge:
<interface type='bridge'>
<source bridge='brXX'/>
<model type='virtio'/>
</interface>

At the same time, the virtual server will receive a private address from DHCP at the initial boot, and after installation it is necessary to fix a public IP on it:
auto eth0
iface eth0 inet static
address 123.45.90.116
netmask 255.255.255.255
gateway 123.45.12.48
pointopoint 123.45.12.48

The volume of the article was quite large, so I’ll write about IPv6 separately.