רשת דגם מגושר למארח הכפול NIC
Virtual servers should appear as independent devices on the private LAN and be accessible from the public Internet using the host server's IP address.
I use this network model on most of my servers. It uses IP addresses efficiently, secures the virtualized servers on the public interface (eth1) and allows direct access over the private interface (eth0).
Host Interfaces
The host has at least two network interfaces. My convention uses eth0 for the trusted connection to the local network and eth1 for the connection to the public internet.
Host Packages
Proxmox VE is used to manage the OpenVZ and KVM containers and virtual machines. It provides a useful interface to the host server. The same interface can be used to access multiple hosts when Proxmox clustering is configured.
Advanced Policy Firewall (APF) offers a convenient way to configure and maintain iptables as a firewall. APF is configured to provide network address translation (NAT) from the public IP to the containers, egress filtering and masquerading. Masquerading is used to change the container's eth1 IP address to the host's IP address.
NGINX is used as a reverse proxy to route port 80 ו - 443 requests to the appropriate container.
Public Interface Configuration
A guest bridge vmbr1 is created to connect the containers. This bridge is accessible on the host server only. APF and NGINX are configured to route traffic from the public interface Eth1 to the containers via this guest bridge.
Network Interface
The WAN interface is defined in the network interfaces file. Below is an excerpt from the /etc/network/interfaces file for Debian systems:
1 |
# WAN Public Interface |
1 2 |
# See Also: APF Configurationauto eth1 iface eth1 inet static |
1 |
address 12.23.45.67 |
1 |
netmask 255.255.255.0 |
1 |
broadcast 12.23.45.255 |
1 |
network 12.23.45.0 |
1 |
gateway 12.23.45.1# GUEST Private Network |
1 |
# Routable to eth1 via APF Configuration |
1 2 3 4 5 6 7 |
auto vmbr1 iface vmbr1 inet static address 192.168.80.1 netmask 255.255.255.0 bridge_ports none bridge_stp off bridge_fd 0 |
APF Preroute Rules (NAT)
APF is used to route specific ports from the public interface to the containers. The preroute.rules example below shows how ssh access is routed to the container. The destination address is on vmbr1.
$IPT -t nat -A PREROUTING -d 12.23.45.67 -p tcp -i eth1 --dport XXX -j DNAT --to-dest 192.168.80.XXX:YYY
APF Postroute Rules (Masquerade)
The postroute.rules example below shows how APF is used to configure masquerade on iptables. The source IP addresses from the vmbr1 network are changed to the host's public IP address, which is 12.23.45.67 in this example.
$IPT -t nat -A POSTROUTING -s 192.168.80.0/24 -o eth1 -j SNAT --to-source 12.23.45.67
NGINX Reverse Proxy for Port 80 ו - 443
The NGINX configuration file for the virtual host defines the web request routing. Here is an excerpt showing the location directive for one virtual host.
1 |
server { |
1 2 |
server_name jaroker.com; listen 443; |
1 |
location / { |
1 2 3 4 |
# Redefine request headers that are transferred to proxied server proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
1 2 3 4 5 |
proxy_pass http://192.168.80.YY; proxy_redirect off; proxy_read_timeout 90; } } |
Private Interface Configuration
The private LAN is a trusted network. We do not want firewall rules to interfere with traffic on the LAN over the trusted eth0 interface. Traffic is routed from the containers using policy based routing that is configured in the network interface file. The example below is specific to Debian.
IP Route Table
A route table name is created for convenience in the /etc/iproute2/rt_tables file. In the example below, this table is called t0 עבור "table for Eth0".
501 t0
Policy based routing is configured in the network interface file. For Debian based systems, this routing is created in the /etc/network/interfaces קובץ.
# Guests visible on LAN
# Not managed by APF -- Routing Configured in this Config Fileiface eth0 inet manual
auto vmbr0
iface vmbr0 inet static
address 192.168.10.YY
netmask 255.255.255.0
broadcast 192.168.10.255
bridge_ports eth0
bridge_stp off
bridge_fd 0
post-up ip route flush table t0
post-up ip route add default via 192.168.10.1 dev vmbr0 table t0
post-up ip rule add from 192.168.10.YY table t0 priority 501
היה הראשון להגיב. השאירו תגובה