4

I'm looking at ordering a powerful server machine to use for virtualization. I'm planning on running debian with KVM+QEMU for the virtualization, and a hardware RAID6 to store the VMs on. I would also like to be able to use the same IP to route to different VMs, depending on stuff like domain or port, since my co-location provider takes an extra fee per extra IP I need.

What is the best practices to achieve this? Or if you have some general tips and tricks for this kind of setup? I assume I need some kind of firewall to do the routing, but should I create a bridge device conencted to a physical interface to put the VMs on, or should I stick to the virtual bridge that is created automagically?

Any help is appreciated!

I apologize if this question is too general, but I did not know where else to post it.

Mikau
  • 53
  • 2
  • 5

3 Answers3

2

Keep your guest network interfaces with private IPs in an internal bridge, configure iptables on the host to NAT an port on its external interface, to an IP and port in the internal bridge.

For example, say your host's internet IP is 1.2.3.4. Setup a bridge (we'll call it virbr0) and give the host an IP in this bridge like 192.168.0.1/24. When you create a new virtual guest, bridge its network interface into virbr0 and give the guest OS an IP address within 192.168.0.0/24. On the host, create a NAT which directs something like 1.2.3.4:10022 to 192.168.0.10:22. To ssh to that guest from outside, you ssh to the external port on the host.

You'll also need an outgoing NAT rule so that guests use 192.168.0.1 as their default gateway, and the host takes any requests from guests and NATs them out its external interface.

Incoming NAT (called a DNAT) is covered at:

Outgoing NAT (called MASQUERADE) is covered at:

suprjami
  • 3,536
  • 21
  • 29
  • You're thinking of SNAT. MASQUERADE is a variant of SNAT that's used when the public IP address is dynamic and may change unexpectedly, such as residential ISP connections. – Michael Hampton May 30 '13 at 02:29
  • That does sound pretty good actually, thanks a bunch for that! However, iptables cannot be used to route based on what domain was used if I reacall correctly. Is there some tool around that does that, or should I really just stick to iptables and solve that some other way? – Mikau May 30 '13 at 05:52
  • 1
    Also for HTTP stuff I suggest a reverse proxy setup, with a minimal HTTP server on the host to do the routing to one or more backends. – Luca Tettamanti May 30 '13 at 09:06
  • I don't quite understand what you mean about routing and domains. Are you doing something with DNS, like hosting a different website on every guest? You want to be able to go "example1.com" or "example2.com", both of which have their A record pointing towards the host's public IP, and have the firewall decide which guest to direct the traffic to? No, iptables cannot do this. You might be able to setup an iptables `-u32` match to capture the domain name in HTTP requests, but I wouldn't rely on it. Luca's suggestion of a reverse proxy on the host is the right way to do this. – suprjami May 30 '13 at 11:48
  • Yep, you got it right, and yeah, Luca's suggestion sounds like the way to go. – Mikau May 30 '13 at 12:17
  • I'll mark this one as the correct answer, as it did help me clear up the biggest questions I had. Thanks to the rest of you as well, you all helped out a lot! – Mikau May 31 '13 at 07:20
1

I guess avoiding a bridge and using host-only networking with routing makes the configuration easier to understand.

If the guests are Linux systems then I recommend to configure them with a serial console (which can be accessed by virsh console $domain).

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
1

If you're planning on using libvirt to manage kvm, read Red Hat's Virtualization Administration Guide (RHEL 6) or Virtualization Deployment and Administration Guide (RHEL 7). It will be useful even on Debian.

Stephen C
  • 103
  • 6
sciurus
  • 12,678
  • 2
  • 31
  • 49
  • Thanks, I hadn't found that one yet, seems like it contains quite a bit of useful info! – Mikau May 30 '13 at 05:45