Hetzner独服安装Proxmox开VPS网络配置


#1

关于Hetzner独服安装Proxmox和虚拟机的安装过程这里就不写了,网上很容易找到,这里主要说一下Hetzner物理机的网络配置,网上有很多文章,说的也不太一样,这里以自己配通过的网络配置为例。文中母鸡指物理机也就是独服,虚机就是Proxmox中新建的VPS。

修改母鸡IP配置

首先,Hetzner会给你的母鸡分配一个ip地址和一个ipv6的地址,如果另外购买了独立的IP地址(没试过独立网段)的话,请在root server后台为该独立地址申请开通指定的MAC地址(全自动,开得很快)。如果另开了独立的ip地址的话,后续分配给VPS使用也需要配置母鸡网络,否则VPS也是u通不了的;如果没有另开独立的ip地址,那么VPS就要设置内网地址,通过NAT的方式访问互联网,通过母鸡iptable配置的方式实现端口映射至母鸡,接收互联网端口访问。

# cat /etc/network/interfaces

到修改/etc/network/interfaces的时候你的母鸡自己的网络配置应该是没问题了,你可以访问Proxmox的web ui试试。这是需要进一步修改该文件,忽略注解说明:

### Hetzner Online GmbH installimage
source /etc/network/interfaces.d/*

auto lo
iface lo inet loopback
iface lo inet6 loopback

# enp2s0为母鸡的网卡接口名称,有的机器未必是这个,根据interfaces文件初始信息修改
# 修改为手动方式
iface enp2s0 inet manual
iface enp2s0 inet6 manual

# 增加桥接网卡配置,后续另开IP的VPS网络选桥接方式,网卡选vmbr0
auto vmbr0
iface vmbr0 inet static
  address <母鸡IP>
  netemask <母鸡掩码>
  gateway <母鸡网关>
  pointtopoint <母鸡网关>
  broadcast <母鸡广播>
  bridge_ports enp2s0
  bridge_stp off
  bridge_fd 0
  up ip route add -net <母鸡网络> netmask <母鸡掩码> gw <母鸡网关> dev enp2s0

iface vmbr0 inet6 static
  address <母鸡ipv6>
  netmask <母鸡ipv6掩码,应该是64>
  gateway <母鸡ipv6网关>

# 开NAT允许内网IP的VPS访问互联网需要增加如下桥接网卡配置
auto vmbr1
iface vmbr1 inet static
  # 网段自己定,该IP将作为虚机网关地址
  address 10.10.10.1
  netmask 255.255.255.0
  bridge_ports none
  bridge_stp off
  bridge_fd 0
  # 增加如下配置允许内网IP的虚机通过母鸡访问互联网
  post-up echo 1 > /proc/sys/net/ipv4/ip_forward
  post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE
  post-down iptables -t nat -D POSTROUTING -s '10.10.10.0/24' -o vmbr0 -j MASQUERADE

重启网络服务生效该配置:service networking restart,不行就重启。

# cat /etc/sysctl.conf

除了修改/etc/network/interfaces文件外还需要修改/etc/sysctl.conf文件,否则ip_forward可能不会生效:

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3

##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
#net.ipv4.conf.default.rp_filter=1
#net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
#net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
#net.ipv4.conf.all.accept_redirects = 0
#net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1
#
# Do not send ICMP redirects (we are not a router)
#net.ipv4.conf.all.send_redirects = 0
#
# Do not accept IP source route packets (we are not a router)
#net.ipv4.conf.all.accept_source_route = 0
#net.ipv6.conf.all.accept_source_route = 0
#
# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

###################################################################
# Magic system request Key
# 0=disable, 1=enable all
# Debian kernels have this set to 0 (disable the key)
# See https://www.kernel.org/doc/Documentation/sysrq.txt
# for what other values do
#kernel.sysrq=1

###################################################################
# Protected links
#
# Protects against creating or following links under certain conditions
# Debian kernels have both set to 1 (restricted) 
# See https://www.kernel.org/doc/Documentation/sysctl/fs.txt
#fs.protected_hardlinks=0
#fs.protected_symlinks=0

取消注释net.ipv4.ip_forward=1net.ipv6.conf.all.forwarding=1两行,运行sysctl -p生效该配置。

内网地址VPS允许互联网访问

上面的配置解决了另赔IP虚机和内网地址IP访问互联网的问题,但是内网地址的VPS外面是访问不到的,如果要解决这个问题就要用端口映射,在母鸡运行如下命令:

iptables -t nat -A PREROUTING -p tcp -m tcp --dport 12345 -j DNAT --to-destination 10.10.10.2:123

上述的命令是将母鸡的12345端口映射至虚机的123端口上,这样就可以通过母鸡的IP及12345端口访问虚机上的123端口了,不过重启之后就会失效,安装iptables-persistent软件包来解决这个问题:

apt-get install iptables-persistent

再运行如下命令保存端口映射配置:

netfilter-persistent save

上述规则将保存之如下文件:

# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Wed Aug 29 15:54:30 2018
*nat
:PREROUTING ACCEPT [26:3479]
:INPUT ACCEPT [15:2859]
:OUTPUT ACCEPT [4:1173]
:POSTROUTING ACCEPT [15:1793]
-A PREROUTING -p tcp -m tcp --dport 12345 -j DNAT --to-destination 10.10.10.2:123
COMMIT
# Completed on Wed Aug 29 15:54:30 2018
# Generated by iptables-save v1.6.0 on Wed Aug 29 15:54:30 2018
*filter
:INPUT ACCEPT [292596:2868669077]
:FORWARD ACCEPT [6028:329489]
:OUTPUT ACCEPT [245250:80865550]
COMMIT
# Completed on Wed Aug 29 15:54:30 2018

要注意的是VPS的桥接网卡不要选错,另配IP的VPS选vmbr0,mac地址用申请的指定mac地址,内网的VPS选vmbr1

本文参考了:


#2

Hetzner杜甫配起来还真是比较费劲


#3

德国访问速度还是太慢