Sandraudiga is a server that is hosted by Hetzner, in Germany. This machine is managed using ansible, which installs among other things LibVirt, and Fish.

• 1 x Dedicated Root Server SB32
• Intel Core i7-4770 (4 cores 8 threads @ 3.4GHz)
• 2x HDD SATA 2.0 TB Enterprise
• 4x RAM 8192 MB DDR3 (32 GB)
• Rescue system (English)

This is the new server, it is 144.76.234.39 / 2a01:4f8:201:1026:: / 64

Under LibVirt it should run:

First run

Install Debian minimal (Stretch).

apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get autoremove
apt-get install sudo python3 python git

Sandraudiga setup notes

Add new stanzas to /etc/network/interfaces to add IP addresses to interfaces

To determine the IP address of the Guest Virtual machine use the following command on the guest (It’s sent by DHCP from dnsmasq):

hostname -I

Ēostre’s IP address:

• iface enp2s0 inet static
• address 144.76.234.28
• netmask 255.255.255.224

Gná’s IP address:

• iface enp2s0 inet static
• address 144.76.234.29
• netmask 255.255.255.224

If you need to add these manually, you can do it using ip:

sudo ip address add 144.76.234.29/27 dev enp2s0

Set up a Guest allowed to receive packets

To forward a whole IP address to a vm, you need to set up iptables, with the following…

Ēostre

(This is for Ēostre 144.76.234.28 & 192.168.122.252):

sudo iptables -I FORWARD -o virbr0 -d 192.168.122.252 -j ACCEPT

All packets arriving at 144.76.234.28 need to go to 192.168.122.252

sudo iptables -t nat -I PREROUTING -p tcp -d 144.76.234.28 -j DNAT --to 192.168.122.252

All packets leaving 192.168.122.252 should go from 144.76.234.28

sudo iptables -t nat -I POSTROUTING 1 -s 192.168.122.252 -j SNAT --to-source 144.76.234.28

Gná

To forward a whole IP address to a vm, you need to issue the following (this is for Gná 144.76.234.29 & 192.168.122.202).

sudo iptables -I FORWARD -o virbr0 -d 192.168.122.202 -j ACCEPT

All packets arriving at 144.76.234.29 need to go to 192.168.122.202

sudo iptables -t nat -I PREROUTING -p tcp -d 144.76.234.29 -j DNAT --to 192.168.122.202

All packets leaving 192.168.122.202 should go from 144.76.234.29

sudo iptables -t nat -I POSTROUTING 1 -s 192.168.122.202 -j SNAT --to-source 144.76.234.29

Single ports

This allows the connections to actually exist and the packets to be sent back and forth. Make sure this goes above the rule that rejects everything or everything will get rejected!

sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport {destination_port_number} -d {destination_ip} -j ACCEPT

Then this does the NAT

sudo iptables -t nat -A PREROUTING -p tcp --dport {inbound_port_number} -j DNAT --to-destination {destination_ip}:{destination_port_number}

So a worked example for Ēostre’s SSH port (2222 -> 22), and Plex port (32400).

SSH

sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport 22 -d 192.168.122.216 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.122.216:22

Plex

sudo iptables -I FORWARD 1 -m state --state NEW,RELATED,ESTABLISHED -p tcp --dport 32400 -d 192.168.122.216 -j ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp --dport 32400 -j DNAT --to-destination 192.168.122.216:32400

sudo service netfilter-persistent save

To make these persist across reboots

Install iptables-persistent¹

sudo service netfilter-persistent save

New Virtual machine

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDK2LZIDtZThKonSQ7IHGi36Qg3t26isDTX+2BYGMgqE3zZrIngVhgqSDNW8WiRHGslNkWzUGbje1/lA5JP5C2HzZSa6VbDW2oGPXAtok4NygZAIbM4viRYfl65HcF4Wj+I8vKKa1Oc+Vc8heZ3iD+fCG03tusvg9PW6TIZ+tf3tcuYgY8Ut3A66uVXBwt1YYfh8T3CDjeq8laVhrRWzwI7WZFJJM1NmAlpBmxyYmpsduukjDcL7VKFMMO1/c29wF6CFFmXNgbphiz7GYtyZ9AAA84ulzbtsVr8VvaVQ6NwTlKLU0nWhq+gBxKql+thOqez6Ejszpp44GXvxduCvPGp skippy@Freyja.local

ssh-keygen -f “/home/skippy/.ssh/known_hosts” -R 192.168.122.202

Related Articles

• Ansible
• Borg Backup
• ipTables

1. install is done via Ansible