Promox VE上云
这边主要记录一下Hetzner的PVE上折腾的小东西。
iptables
iptables主要是用于充当网关的作用,主要来说外部流量到达Host ip之后都通过iptables的forward rules到达vm。
如果是单独有一个软路由应当也是可以的,但是还是需要用forward,不可以直通,如果直通Hetzner会发警告信,至少Mac Address需要匹配Host。
如果是租了公网ipv4地址段的话需要注意可用ip数量为地址段ip数量 -2,因为一个要用作boardcast一个要用作gateway。
如果要添加forward rules可以:
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# Lookup
sudo iptables -L -v -n
# NAT POSTROUTING only
sudo iptables -t nat -L POSTROUTING -v -n --line-numbers
# to show ALL NAT
sudo iptables -t nat -L -v -n --line-numbers
# Ex. Add rules FORWARD tcp packet to 192.168.100.200 on Port 443
sudo iptables -A FORWARD -p tcp --dport 443 -d 192.168.100.200 -j ACCEPT删除条目
# DO Lookup
# Delete NAT rules PREROUTING 8
sudo iptables -t nat -D PREROUTING 8
# Delete FORWORD rules 10
iptables -D FORWARD 10做简单的端口转发(DNAT),假设 example.com:443 -> 192.168.100.200:1242
sudo iptables -t nat -A PREROUTING -i en0 -p tcp --dport 443 -j DNAT --to-destination 192.168.100.200:1242
# -i optional, without interface specification will listening on all interface
sudo iptables -A FORWARD -p tcp -d 192.168.100.200 --dport 1242 -j ACCEPT相对的SNAT,假设 192.168.100.0/24 -> 0.0.0.0/0,这样通过NAT访问互联网
sudo iptables -t nat -A POSTROUTING -o enp8s0 -s 192.168.100.0/24 -j MASQUERADEcloud-init
cloud-init是一个比较便捷的快速配置vm的方法,但是需要注意的是默认镜像并不会直接加载cloud-init镜像,比较简单的方法是通过
sudo cloud-init clean重启之后就会自动加载cloud-init镜像了。
OpenVPN
为了方便通过OpenVPN便捷访问左右主机,最好是建立一个internal的VLAN。 在这种情况下,外部流量抵达Host转发到OpenVPN的vm,由OpenVPN的vm转发到internal。 默认不通过OpenVPN访问internet,一般用梯子更加方便。 网络配置的话除了gui还可以通过文件直接修改:
记得都要开ipv4.forwarding:
# Enable IP Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# To make this persistent across reboots (on most Linux systems):
sysctl -w net.ipv4.ip_forward=1查看PVE的interface:
cat /etc/network/interfacesroot@Debian-1211-bookworm-amd64-base ~ # cat /etc/network/interfaces
# network interface settings; autogenerated
# Please do NOT modify this file directly, unless you know what
# you're doing.
#
# If you want to manage parts of the network configuration manually,
# please utilize the 'source' or 'source-directory' directives to do
# so.
# PVE will preserve these directives, but will NOT read its network
# configuration from sourced files, so do not attempt to move any of
# the PVE managed interfaces into external files!
source /etc/network/interfaces.d/*
auto lo
iface lo inet loopback
iface lo inet6 loopback
auto enp8s0
iface enp8s0 inet static
address 55.555.555.555/26
gateway 55.555.555.555
up route add -net 55.555.555.128 netmask 255.255.255.192 gw 55.555.555.129 dev enp8s0
up route add -net 55.555.9.0 netmask 255.255.255.240 dev vmbr0
up route add -net 55.555.555.208 netmask 255.255.255.248 dev vmbr2
#HOST NIC
#Hetzner default config, no need to change
auto vmbr1
iface vmbr1 inet static
address 192.168.100.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
#host NAT
auto Internal
iface Internal inet static
address 10.0.0.1/24
bridge-ports none
bridge-stp off
bridge-fd 0
bridge-vlan-aware yes
bridge-vids 2-4094
#VLAN最好还是把NAT和internal分开,iptables需要两条规则。
# NAT
sudo iptables -t nat -A PREROUTING -i enp8s0 -p udp --dport 1194 -j DNAT --to-destination 192.168.100.10:1194
# FORWARD
sudo iptables -A FORWARD -p udp -d 192.168.100.10 --dport 1194 -j ACCEPT一般来说这两条规则就够用了,如果是发现外部流量可以访问内部,但是内部往外面发包没有ack的话可以需要添加Hetzner防火墙规则 Hetzner防火墙一般来说都不太好用,记得添加标准规则之外还要添加:
ipv4 tcp 0.0.0.0/0 0.0.0.0/0 0-65535 32768-65535 ack ACCEPT# FORWARD rules
# eth1 as INTERNAL VLAN
Chain FORWARD (policy ACCEPT 285 packets, 43989 bytes)
pkts bytes target prot opt in out source destination
...
2326K 385M ACCEPT 0 -- tun0 eth1 0.0.0.0/0 0.0.0.0/0
2301K 3251M ACCEPT 0 -- eth1 tun0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
# no need for PREROUTING rules
# POSTROUTING
Chain POSTROUTING (policy ACCEPT 423K packets, 26M bytes)
pkts bytes target prot opt in out source destination
...
17546 1123K MASQUERADE 0 -- * eth1 10.8.0.0/24 0.0.0.0/0