Sandraudiga is a server that is hosted by Hetzner, in Germany. This machine is managed using ansible, which installs among other things LibVirt, and Fish.
- 1 x Dedicated Root Server SB32
- Intel Core i7-4770 (4 cores 8 threads @ 3.4GHz)
- 2x HDD SATA 2.0 TB Enterprise
- 4x RAM 8192 MB DDR3 (32 GB)
- Rescue system (English)
This is the new server, it is 144.76.234.39 / 2a01:4f8:201:1026:: / 64
Under LibVirt it should run:
Guest Name | Role | OS | Ram | CPU Cores | HDD | External IP | NAT IP | Forwarded Ports | DNS |
Gná | New Server Running ISP Manager | Debian 9 (Stretch) | 8 GB | 4 | 1 TB | 144.76.234.29 | * | gna.squashedfly.eu A 144.76.234.29 | |
Ēostre | Plex Media Server | Ubuntu 17.10 (Artful Aardvark) | 2 GB | 2 | 1 TB | 144.76.234.28 | * | eostre.squashedfly.eu A 144.76.234.28 | |
Hnoss | Skippy’s IRC and the ilk Machine | Debian 9 (Stretch) | 4 GB | 2 | 100 GB | 192.168.122.217 | TCP: 2223 -> 22 (SSH) | hnoss.squashedfly.eu cname sandraudiga | |
Sjöfn | Tamarisk’s IRC and the ilk Machine | Debian 9 (Stretch) | 4 GB | 2 | 100 GB | TCP: 2224 -> 22 (SSH) | sjoefn.squashedfly.eu cname sandraudiga |
First run
Install Debian minimal (Stretch).
apt-get update apt-get upgrade apt-get dist-upgrade apt-get autoremove apt-get install sudo python3 python git
Sandraudiga setup notes
Add new stanzas to /etc/network/interfaces to add IP addresses to interfaces
To determine the IP address of the Guest Virtual machine use the following command on the guest (It’s sent by DHCP from dnsmasq):
hostname -I
Ēostre’s IP address:
- iface enp2s0 inet static
- address 144.76.234.28
- netmask 255.255.255.224
Gná’s IP address:
- iface enp2s0 inet static
- address 144.76.234.29
- netmask 255.255.255.224
If you need to add these manually, you can do it using ip:
sudo ip address add 144.76.234.29/27 dev enp2s0
Set up a Guest allowed to receive packets
To forward a whole IP address to a vm, you need to set up iptables, with the following…
Ēostre
(This is for Ēostre 144.76.234.28 & 192.168.122.252):
sudo iptables -I FORWARD -o virbr0 -d 192.168.122.252 -j ACCEPT
All packets arriving at 144.76.234.28 need to go to 192.168.122.252
sudo iptables -t nat -I PREROUTING -p tcp -d 144.76.234.28 -j DNAT --to 192.168.122.252
All packets leaving 192.168.122.252 should go from 144.76.234.28
sudo iptables -t nat -I POSTROUTING 1 -s 192.168.122.252 -j SNAT --to-source 144.76.234.28
Gná
To forward a whole IP address to a vm, you need to issue the following (this is for Gná 144.76.234.29 & 192.168.122.202).
sudo iptables -I FORWARD -o virbr0 -d 192.168.122.202 -j ACCEPT
All packets arriving at 144.76.234.29 need to go to 192.168.122.202
sudo iptables -t nat -I PREROUTING -p tcp -d 144.76.234.29 -j DNAT --to 192.168.122.202
All packets leaving 192.168.122.202 should go from 144.76.234.29
sudo iptables -t nat -I POSTROUTING 1 -s 192.168.122.202 -j SNAT --to-source 144.76.234.29
Single ports
This allows the connections to actually exist and the packets to be sent back and forth. Make sure this goes above the rule that rejects everything or everything will get rejected!
sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport {destination_port_number} -d {destination_ip} -j ACCEPT
Then this does the NAT
sudo iptables -t nat -A PREROUTING -p tcp --dport {inbound_port_number} -j DNAT --to-destination {destination_ip}:{destination_port_number}
So a worked example for Ēostre’s SSH port (2222 -> 22), and Plex port (32400).
SSH
sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport 22 -d 192.168.122.216 -j ACCEPT sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.122.216:22
Plex
sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport 32400 -d 192.168.122.216 -j ACCEPT sudo iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 192.168.122.216:32400
sudo service netfilter-persistent save
To make these persist across reboots
sudo service netfilter-persistent save
New Virtual machine
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK2LZIDtZThKonSQ7IHGi36Qg3t26isDTX+2BYGMgqE3zZrIngVhgqSDNW8WiRHGslNkWzUGbje1/lA5JP5C2HzZSa6VbDW2oGPXAtok4NygZAIbM4viRYfl65HcF4Wj+I8vKKa1Oc+Vc8heZ3iD+fCG03tusvg9PW6TIZ+tf3tcuYgY8Ut3A66uVXBwt1YYfh8T3CDjeq8laVhrRWzwI7WZFJJM1NmAlpBmxyYmpsduukjDcL7VKFMMO1/c29wF6CFFmXNgbphiz7GYtyZ9AAA84ulzbtsVr8VvaVQ6NwTlKLU0nWhq+gBxKql+thOqez6Ejszpp44GXvxduCvPGp skippy@Freyja.local
ssh-keygen -f “/home/skippy/.ssh/known_hosts” -R 192.168.122.202