Hello, I'm a little confused on which networking option I need to choose when setting up a VM. I set up two VMs this past weekend both with NAT. Both able to were access the internet. The first one, I created in my / file system but didn't really have the space so I deleted it. The second one, I created in /home/kvm, but deleted it as well when I couldn't access it FROM the internet. I had a full backup scheduled for that night and deleted it as well. I have one of those free domains/DNS from no-ip.com, centos7vm.ddns.net I plan to use as the host name. I want to be able to access this VM from the internet. So, how much in the network setup for the new installation do I need to do? Do I need to go with NAT or bridged? I did four installations last night and could get any of the access the internet with ym. Must have been dumb luck the first two times. I think it maybe something in iptables from one of the previous installs causing the problem. In ifconfig, I still have virbr0 and virbr1. Didn't have those before. Here's my iptables: # Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016 *mangle :PREROUTING ACCEPT [29980:14598541] :INPUT ACCEPT [4740:1518258] :FORWARD ACCEPT [25240:13080283] :OUTPUT ACCEPT [6749:1743387] :POSTROUTING ACCEPT [30207:14647456] -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill COMMIT # Completed on Tue Sep 27 22:17:35 2016 # Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016 *nat :PREROUTING ACCEPT [1130:73984] :POSTROUTING ACCEPT [20:1245] :OUTPUT ACCEPT [245:19366] -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -o eth1 -j MASQUERADE -A POSTROUTING -o br0 -j MASQUERADE -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Tue Sep 27 22:17:35 2016 # Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :IP4BOGONS - [0:0] :f2b-default - [0:0] :f2b-dovecot-pop3imap - [0:0] -A INPUT -m set --match-set blacklistnet src -j DROP -A INPUT -m set --match-set blacklist src -j DROP -A INPUT -s 127.0.0.1/32 -j ACCEPT -A INPUT -m set --match-set block src -j DROP COMMIT # Completed on Tue Sep 27 22:17:35 2016 And my ifconfig: eth0 Link encap:Ethernet HWaddr 44:37:E6:53:1E:E2 inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::4637:e6ff:fe53:1ee2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:601486 errors:0 dropped:0 overruns:0 frame:0 TX packets:601818 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:412662650 (393.5 MiB) TX bytes:508284675 (484.7 MiB) Interrupt:20 Memory:fe500000-fe520000 eth1 Link encap:Ethernet HWaddr 00:1B:21:AF:6D:22 inet addr:192.168.0.111 Bcast:255.255.255.255 Mask:255.255.255.0 inet6 addr: fe80::21b:21ff:feaf:6d22/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:260 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:53372 (52.1 KiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:44216 errors:0 dropped:0 overruns:0 frame:0 TX packets:44216 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:26786210 (25.5 MiB) TX bytes:26786210 (25.5 MiB) virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:3 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:162 (162.0 b) virbr1 Link encap:Ethernet HWaddr 00:00:00:00:00:00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:4 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:244 (244.0 b) Currently, the are no VMs installed or running. Any help would be greatly appreciated!
On 9/28/2016 8:43 AM, tdukes at palmettoshopper.com wrote:> I'm a little confused on which networking option I need to choose when > setting up a VM.the host thats running the VM, is it connected to a LAN behind a firewall/router, or directly to the internet? if directly, is there a dedicated internet IP address that the VM can use? if yes, then you want a bridged network where the VM uses that dedicated internet IP seperate from the host's IP. if its on a LAN with private addressing, you want to use a dedicated LAN IP address, seperate from the host's LAN IP, but since its behinda NAT router, I really don't know how you'd expect it to use DDNS as that will only see the router's internet IP address. -- john r pierce, recycling bits in santa cruz
On Sep 28, 2016, at 9:43 AM, <tdukes at palmettoshopper.com> <tdukes at palmettoshopper.com> wrote:> > The first one, I created in my / file system but didn't really have the > space so I deleted it.One of the primary advantages of VMs over real machines is that you can pause them, move them, and then restart them, with the VM guest OS not realizing that anything has happened. Some virtual machine management systems even automate this, letting you move an active VM without any downtime at all.> The second one, I created in /home/kvm, but deleted it as well when I > couldn't access it FROM the internet.That?s actually the main reason to use NAT over bridged networking: to *prevent* outsiders from connecting into the VM guest. It?s a good thing for exactly the same reason your home internet service?s router/gateway?s NAT is a good thing. While it is possible to drill a hole back through the VM?s NAT layer into the guest using port mapping rules, that amounts to double NAT, which adds an unnecessary amount of complexity. If all of the threats to the VM guest are outside the LAN?s border gateway, it?s simpler to use bridged networking, and set up the port forwarding rules on the LAN border gateway. Beyond that general advice, you escape anything CentOS-specific, so you need to take the problem up elsewhere, such as https://portforward.com/> I want to be able to access this VM from the internet.Once the VM is set to use port forwarding and a static IP, you can forward port 22 to the Internet. I recommend that the port forwarding rule expose the internal port 22 as some random value on the outside. This will cut down on a lot of script kiddie spam in your logs. Some will decry this as ?security through obscurity,? but that?s bogus. Obscurity is not a bad thing in itself. The problem comes when obscurity is your *only* security. That?s not the case with SSH. I don?t recommend forwarding any other ports to the Internet, if you can possibly get away with it. SSH can do its own port forwarding, which reduces your VM?s attack surface from the Internet. With SSH acting as a poor-man?s VPN, an attacker would have to break SSH before they can get into any of your internal VM?s other services. Alternately, you could set up a VPN, and then you wouldn?t need to mess with port forwarding, either at the LAN border or via SSH.
On 09/28/2016 08:43 AM, tdukes at palmettoshopper.com wrote:> I have one of those free domains/DNS from no-ip.com, centos7vm.ddns.net > I plan to use as the host name. > > I want to be able to access this VM from the internet....> This is what I was seeing. Either it lands on the DSL router's login > page or the host's website.If you only have one address, you'll need to configure port forwarding or a "bastion host" from that DSL router (whatever it supports). Your "no-ip.com" address will simply point at that host.> So, how much in the network setup for the new installation do I need to > do? Do I need to go with NAT or bridged?You have a couple of options for VMs that you want to access from the LAN. The best documented and probably most widely used is bridged. That one also probably requires the most setup: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Network_Bridging.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Network_configuration-Bridged_networking.html You can also use macvtap, which doesn't require the use of a special bridge interface, but you do have to enable hairpin mode if you want the KVM guest to be able to access its guests. I honestly can't find much useful documentation. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-attch-nic-physdev.html
> -----Original Message----- > From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On > Behalf Of Gordon Messmer > Sent: Thursday, September 29, 2016 11:47 AM > To: CentOS mailing list > Subject: Re: [CentOS] Virtualization Networking > > On 09/28/2016 08:43 AM, tdukes at palmettoshopper.com wrote: > > I have one of those free domains/DNS from no-ip.com, > > centos7vm.ddns.net I plan to use as the host name. > > > > I want to be able to access this VM from the internet. > ... > > This is what I was seeing. Either it lands on the DSL router's login > > page or the host's website. > > If you only have one address, you'll need to configure port forwarding ora> "bastion host" from that DSL router (whatever it supports). Your"no-ip.com"> address will simply point at that host. > > > So, how much in the network setup for the new installation do I need > > to do? Do I need to go with NAT or bridged? > > > You have a couple of options for VMs that you want to access from the LAN. > The best documented and probably most widely used is bridged. > That one also probably requires the most setup: > > https://access.redhat.com/documentation/en- > US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch- > Configure_Network_Bridging.html > > https://access.redhat.com/documentation/en- > US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Ad > ministration_Guide/sect-Network_configuration-Bridged_networking.html > > You can also use macvtap, which doesn't require the use of a specialbridge> interface, but you do have to enable hairpin mode if you want the KVM > guest to be able to access its guests. I honestly can't find much useful > documentation. > > https://access.redhat.com/documentation/en- > US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/ > sect-attch-nic-physdev.html >Thanks, I am running 6.8. For whatever reason, the default NAT setup no longer works. I got some kind of bridge network (mactap) setup that has access to the outside but I still can't connect locally.