1

I'm trying (and having a hard time) to setup a clean KVM environment with: an Ubuntu (20.04) host (with a single NIC), multiple ubuntu KVM guests, 2 public IPs, and one Vlan per IP. Basically something looking like: ideal structure

My needs are:

  • I have 2 public IP addresses attached to my host NIC
  • I want 2 VLANs for my guests and no communication between machines on different VLANs
  • Each VLANs attached to one public IP
  • All guests having at least access to internet, but not necessarily being accessible from outside ("one way", classic NAT?)
  • Some guest acting as deamons/servers, being accessible from the internet ("two way", port redirection?)
  • The host should still be able to access internet
  • Ever having only 2 (one per IP) mac addresses advertised outside my host (to my provider's router)

I didn't find any online resources about how to achieve this architecture and none of my attempts

have yet been successful. I think I can achieve it with the right combination of bridge and (NAT) VLAN but some of my research indicated that I might need routing with Iptables.

Is it possible to achieve this structure and, if yes, how?

  • for the host network config (neptlan ,ifup, iptable, etc)
  • and the libvirt config (virsh xml)

edit:
To make my needs more clear:

Traffic from 0.0.0.0/0 destined to X.X.X.X on port 443 must be forwarded to VM1 in VLAN-1
Traffic from 0.0.0.0/0 destined to X.X.X.X on port 5432 must be forwarded to VM2 in VLAN-1
Traffic from 0.0.0.0/0 destined to Y.Y.Y.Y on port 443 must be forwarded to VM3 in VLAN-2
Traffic from VM1 in VLAN2 destined to 0.0.0.0/0 on any port must be routed through Y.Y.Y.Y ?
Milan Rodriguez
  • 13
  • 4

1 Answers1

0

Looking at your scenario, I assume the following:

Traffic from 0.0.0.0/0 destined to X.X.X.X on port 443 must be forwarded to VM1 in VLAN-1
Traffic from 0.0.0.0/0 destined to X.X.X.X on port 5432 must be forwarded to VM2 in VLAN-1
Traffic from 0.0.0./0 destined to Y.Y.Y.Y on port 443 must be forwarded to VM3 in VLAN-2

If my assumption is correct, I would suggest using iptables. In this case, you will to perform port-forwarding. From the KVM host machine, do the following:

$ sudo echo "1" > /proc/sys/net/ipv4/ip_forward
$ sudo iptables -t nat -A PREROUTING -p tcp -m tcp -d X.X.X.X --dport 443 -j DNAT --to-destination 10.0.1.1:443 #(VM1 in VLAN1)
$ sudo iptables -t nat -A PREROUTING -p tcp -m tcp -d X.X.X.X --dport 5432 -j DNAT --to-destination 10.0.1.2:5432 #(VM2 in VLAN1)
$ sudo iptables -t nat -A PREROUTING -p tcp -m tcp -d Y.Y.Y.Y --dport 443 -j DNAT --to-destination 10.0.2.3:5432 #(VM3 in VLAN2)
$ sudo iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #(Allow retrun traffic)
Bruce Malaudzi
  • 214
  • 1
  • 5
  • I'm sorry my schema and my needs were unclear (I updated them to be more accurate). Actually what i'm looking for is: Traffic from 0.0.0.0/0 destined to X.X.X.X on port 443 must be forwarded to VM1 in VLAN-1 Traffic from 0.0.0.0/0 destined to X.X.X.X on port 5432 must be forwarded to VM2 in VLAN-1 Traffic from 0.0.0.0/0 destined to Y.Y.Y.Y on port 443 must be forwarded to VM3 in VLAN-2 – Milan Rodriguez Oct 18 '20 at 17:36
  • I have edited the answer according to your needs. Please check – Bruce Malaudzi Oct 18 '20 at 17:42