KVM Setup on Debian Jessie

From Wiki

(Difference between revisions)
Jump to: navigation, search
(add firewall script)
Line 49: Line 49:
         pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
         pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
         post-down brctl delbr br1
         post-down brctl delbr br1
 +
 +
if up br1
 +
#or reboot
 +
 +
= Firewall Config =
 +
vi /etc/firewall.sh
 +
IPTABLES=/sbin/iptables
 +
 +
EXTBR=br0
 +
INTBR=br1
 +
 +
PRIVATE=192.168.1.0/24
 +
 +
$IPTABLES -F INPUT
 +
$IPTABLES -F OUTPUT
 +
$IPTABLES -F FORWARD
 +
$IPTABLES -F POSTROUTING -t nat
 +
$IPTABLES -F PREROUTING -t nat
 +
 +
####################
 +
# FORWARDS
 +
###################
 +
$IPTABLES -A FORWARD -d $PRIVATE -o $INTBR -m state --state RELATED,ESTABLISHED -j ACCEPT
 +
$IPTABLES -A FORWARD -s $PRIVATE -i $INTBR -j ACCEPT
 +
$IPTABLES -A FORWARD -i $INTBR -o $INTBR -j ACCEPT
 +
$IPTABLES -A FORWARD -i $EXTBR -o $EXTBR -j ACCEPT
 +
 +
###################
 +
# NATTING
 +
###################
 +
$IPTABLES -t nat -A POSTROUTING ! -d $PRIVATE -s $PRIVATE -j MASQUERADE
 +
$IPTABLES -t nat -A POSTROUTING ! -s $PRIVATE -d $PRIVATE -j MASQUERADE
 +
 +
###################
 +
# PORT FORWARDING (Remote Desktop)
 +
###################
 +
$IPTABLES -t nat -A PREROUTING -p tcp --dport 9123 -j DNAT --to 192.168.1.2:3389
 +
 
 +
###################
 +
# BLOCKING
 +
###################
 +
#$IPTABLES -A FORWARD -j REJECT --reject-with icmp-port-unreachable
 +
= Setup VM =
= Setup VM =

Revision as of 23:30, 31 December 2016

Contents

Setup Base OS

I used hetzner's "installimage" to create RAID + LVM.

installimage
-> Debian
-> Debian-86-jessie-64-minimal
-> Hostname enterservername
-> PART /boot  ext3     512M
-> PART lvm    vg0       all
-> LV vg0   root   /        ext4         10G
-> LV vg0   swap   swap     swap          4G

reboot

Sanity checks

free
lvscan
cat /proc/mdstat
cat /etc/apt/sources.list
apt-get update
apt-get upgrade
mdadm --examine --scan
df -h
cat /proc/cpuinfo

Some strange reason apt didn't work with ipv6 after the initial update. So to force apt to use ipv4

vi /etc/apt/apt.conf.d/99hetzner
#add in the line
Acquire::ForceIPv4 "true";
apt-get install fail2ban

Install KVM

aptitude install qemu-kvm libvirt-bin
#source: https://wiki.debian.org/KVM
apt-get install virtinst

virsh list

Network Config

vi /etc/network/interfaces
auto br1
iface br1 inet static
       address 192.168.1.1
       netmask 255.255.255.0
       bridge_stp off
       bridge_fd 0
       pre-up brctl addbr br1
       pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
       post-down brctl delbr br1

if up br1
#or reboot

Firewall Config

vi /etc/firewall.sh
IPTABLES=/sbin/iptables

EXTBR=br0
INTBR=br1

PRIVATE=192.168.1.0/24

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F POSTROUTING -t nat
$IPTABLES -F PREROUTING -t nat

####################
# FORWARDS
###################
$IPTABLES -A FORWARD -d $PRIVATE -o $INTBR -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -s $PRIVATE -i $INTBR -j ACCEPT
$IPTABLES -A FORWARD -i $INTBR -o $INTBR -j ACCEPT
$IPTABLES -A FORWARD -i $EXTBR -o $EXTBR -j ACCEPT

###################
# NATTING
###################
$IPTABLES -t nat -A POSTROUTING ! -d $PRIVATE -s $PRIVATE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING ! -s $PRIVATE -d $PRIVATE -j MASQUERADE

###################
# PORT FORWARDING (Remote Desktop)
###################
$IPTABLES -t nat -A PREROUTING -p tcp --dport 9123 -j DNAT --to 192.168.1.2:3389
 
###################
# BLOCKING
###################
#$IPTABLES -A FORWARD -j REJECT --reject-with icmp-port-unreachable


Setup VM

lvcreate -n lin01-boot --size 250m vg0
lvcreate -n lin01-swap --size 1g vg0
lvcreate -n lin01-root --size 5g vg0

mkfs.ext4 /dev/vg0/lin01-root
mkswap /dev/vg0/lin01-swap 

wget -4 http://ftp.debian.org/debian/dists/jessie/main/installer-amd64/current/images/netboot/mini.iso
virt-install -d --name=lin01 --ram 512 --disk path=/dev/vg0/lin01-boot,bus=virtio,cache=none --disk path=/dev/vg0/lin01-root,bus=virtio,cache=none --disk path=/dev/vg0/lin01-swap,bus=virtio,cache=none --network bridge=br1,model=virtio --vnc --accelerate --cdrom /srv/os-images/debian-jessie-netinst.iso
Personal tools