CentOS - Sep 2016 - Virtualization Networking

Hello,

I'm a little confused on which networking option I need to choose when
setting up a VM.

I set up two VMs this past weekend both with NAT. Both able to were
access the internet.

The first one, I created in my / file system but didn't really have the
space so I deleted it.

The second one, I created in /home/kvm, but deleted it as well when I
couldn't access it FROM the internet. I had a full backup scheduled for
that night and deleted it as well.

I have one of those free domains/DNS from no-ip.com, centos7vm.ddns.net
I plan to use as the host name.

I want to be able to access this VM from the internet.

So, how much in the network setup for the new installation do I need to
do? Do I need to go with NAT or bridged?


I did four installations last night and could get any of the access the
internet with ym. Must have been dumb luck the first two times.

I think it maybe something in iptables from one of the previous installs
causing the problem. In ifconfig, I still have virbr0 and virbr1. Didn't
have those before.

Here's my iptables:

# Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016
*mangle
:PREROUTING ACCEPT [29980:14598541]
:INPUT ACCEPT [4740:1518258]
:FORWARD ACCEPT [25240:13080283]
:OUTPUT ACCEPT [6749:1743387]
:POSTROUTING ACCEPT [30207:14647456]
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill 
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill 
-A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill 
-A POSTROUTING -o virbr1 -p udp -m udp --dport 68 -j CHECKSUM
--checksum-fill 
COMMIT
# Completed on Tue Sep 27 22:17:35 2016
# Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016
*nat
:PREROUTING ACCEPT [1130:73984]
:POSTROUTING ACCEPT [20:1245]
:OUTPUT ACCEPT [245:19366]
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j
MASQUERADE --to-ports 1024-65535 
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE 
-A POSTROUTING -o eth1 -j MASQUERADE 
-A POSTROUTING -o br0 -j MASQUERADE 
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Tue Sep 27 22:17:35 2016
# Generated by iptables-save v1.4.7 on Tue Sep 27 22:17:35 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:IP4BOGONS - [0:0]
:f2b-default - [0:0]
:f2b-dovecot-pop3imap - [0:0]
-A INPUT -m set --match-set blacklistnet src -j DROP 
-A INPUT -m set --match-set blacklist src -j DROP 
-A INPUT -s 127.0.0.1/32 -j ACCEPT 
-A INPUT -m set --match-set block src -j DROP 
COMMIT
# Completed on Tue Sep 27 22:17:35 2016


And my ifconfig:

eth0      Link encap:Ethernet  HWaddr 44:37:E6:53:1E:E2  
          inet addr:192.168.1.110  Bcast:192.168.1.255 
Mask:255.255.255.0
          inet6 addr: fe80::4637:e6ff:fe53:1ee2/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:601486 errors:0 dropped:0 overruns:0 frame:0
          TX packets:601818 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:412662650 (393.5 MiB)  TX bytes:508284675 (484.7 MiB)
          Interrupt:20 Memory:fe500000-fe520000 

eth1      Link encap:Ethernet  HWaddr 00:1B:21:AF:6D:22  
          inet addr:192.168.0.111  Bcast:255.255.255.255 
Mask:255.255.255.0
          inet6 addr: fe80::21b:21ff:feaf:6d22/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:260 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:53372 (52.1 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:44216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:44216 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:26786210 (25.5 MiB)  TX bytes:26786210 (25.5 MiB)

virbr0    Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:162 (162.0 b)

virbr1    Link encap:Ethernet  HWaddr 00:00:00:00:00:00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:244 (244.0 b)


Currently, the are no VMs installed or running.

Any help would be greatly appreciated!

On 9/28/2016 8:43 AM, tdukes at palmettoshopper.com
wrote:
> I'm a little confused on which networking option I need to choose when
> setting up a VM.
the host thats running the VM, is it connected to a LAN behind a 
firewall/router, or directly to the internet?   if directly, is there a 
dedicated internet IP address that the VM can use?    if yes, then you 
want a bridged network where the VM uses that dedicated internet IP 
seperate from the host's IP.

if its on a LAN with private addressing, you want to use a dedicated LAN 
IP address, seperate from the host's LAN IP, but since its behinda NAT 
router, I really don't know how you'd expect it to use DDNS as that will
only see the router's internet IP address.

-- 
john r pierce, recycling bits in santa cruz

On Sep 28, 2016, at 9:43 AM, <tdukes at palmettoshopper.com> <tdukes at
palmettoshopper.com> wrote:
> 
> The first one, I created in my / file system but didn't really have the
> space so I deleted it.
One of the primary advantages of VMs over real machines is that you can pause
them, move them, and then restart them, with the VM guest OS not realizing that
anything has happened.

Some virtual machine management systems even automate this, letting you move an
active VM without any downtime at all.
> The second one, I created in /home/kvm, but deleted it as well when I
> couldn't access it FROM the internet.
That?s actually the main reason to use NAT over bridged networking: to *prevent*
outsiders from connecting into the VM guest.  It?s a good thing for exactly the
same reason your home internet service?s router/gateway?s NAT is a good thing.

While it is possible to drill a hole back through the VM?s NAT layer into the
guest using port mapping rules, that amounts to double NAT, which adds an
unnecessary amount of complexity.

If all of the threats to the VM guest are outside the LAN?s border gateway, it?s
simpler to use bridged networking, and set up the port forwarding rules on the
LAN border gateway.

Beyond that general advice, you escape anything CentOS-specific, so you need to
take the problem up elsewhere, such as https://portforward.com/
> I want to be able to access this VM from the internet.
Once the VM is set to use port forwarding and a static IP, you can forward port
22 to the Internet.

I recommend that the port forwarding rule expose the internal port 22 as some
random value on the outside.  This will cut down on a lot of script kiddie spam
in your logs.  Some will decry this as ?security through obscurity,? but that?s
bogus.  Obscurity is not a bad thing in itself.  The problem comes when
obscurity is your *only* security.  That?s not the case with SSH.

I don?t recommend forwarding any other ports to the Internet, if you can
possibly get away with it.  SSH can do its own port forwarding, which reduces
your VM?s attack surface from the Internet.  With SSH acting as a poor-man?s
VPN, an attacker would have to break SSH before they can get into any of your
internal VM?s other services.

Alternately, you could set up a VPN, and then you wouldn?t need to mess with
port forwarding, either at the LAN border or via SSH.

On 09/28/2016 08:43 AM, tdukes at palmettoshopper.com
wrote:
> I have one of those free domains/DNS from no-ip.com, centos7vm.ddns.net
> I plan to use as the host name.
>
> I want to be able to access this VM from the internet.
...
> This is what I was seeing. Either it lands on the DSL router's login
> page or the host's website.
If you only have one address, you'll need to configure port forwarding 
or a "bastion host" from that DSL router (whatever it supports).  Your
"no-ip.com" address will simply point at that host.
> So, how much in the network setup for the new installation do I need to
> do? Do I need to go with NAT or bridged?

You have a couple of options for VMs that you want to access from the 
LAN.  The best documented and probably most widely used is bridged.  
That one also probably requires the most setup:

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-Configure_Network_Bridging.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/sect-Network_configuration-Bridged_networking.html

You can also use macvtap, which doesn't require the use of a special 
bridge interface, but you do have to enable hairpin mode if you want the 
KVM guest to be able to access its guests.  I honestly can't find much 
useful documentation.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/sect-attch-nic-physdev.html

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Gordon Messmer
> Sent: Thursday, September 29, 2016 11:47 AM
> To: CentOS mailing list
> Subject: Re: [CentOS] Virtualization Networking
> 
> On 09/28/2016 08:43 AM, tdukes at palmettoshopper.com wrote:
> > I have one of those free domains/DNS from no-ip.com,
> > centos7vm.ddns.net I plan to use as the host name.
> >
> > I want to be able to access this VM from the internet.
> ...
> > This is what I was seeing. Either it lands on the DSL router's
login
> > page or the host's website.
> 
> If you only have one address, you'll need to configure port forwarding
or
a
> "bastion host" from that DSL router (whatever it supports).  Your
"no-ip.com"
> address will simply point at that host.
> 
> > So, how much in the network setup for the new installation do I need
> > to do? Do I need to go with NAT or bridged?
> 
> 
> You have a couple of options for VMs that you want to access from the LAN.
> The best documented and probably most widely used is bridged.
> That one also probably requires the most setup:
> 
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/ch-
> Configure_Network_Bridging.html
> 
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Ad
> ministration_Guide/sect-Network_configuration-Bridged_networking.html
> 
> You can also use macvtap, which doesn't require the use of a special
bridge
> interface, but you do have to enable hairpin mode if you want the KVM
> guest to be able to access its guests.  I honestly can't find much
useful
> documentation.
> 
> https://access.redhat.com/documentation/en-
> US/Red_Hat_Enterprise_Linux/6/html/Virtualization_Administration_Guide/
> sect-attch-nic-physdev.html
> 
Thanks, I am running 6.8. 

For whatever reason, the default NAT setup no longer works. I got some kind
of bridge network (mactap) setup that has access to the outside but I still
can't connect locally.