Proxying KVM virtual systems with one physical interface

I haven’t written things here for ages, mostly due to the proliferation of “Social Media”, and not really finding it necessary to keep my blog “up to date”. I probably should have- alas, I did not. Thanks to the volatile nature of internet services that others control, so many pictures and writings are lost- it makes me reflect on where we’re headed as a society- but that’s ANOTHER conversation altogether.

I’ve been working on many things since my last posts- I’m managing about 100 VPS and more than a handful of physical servers as I work back into my former career of System Administration.

I figured I’d reboot my blog with an interesting implementation I’ve come up with for a very specific hosting issue.

KimSufi is an OVH company, which tends to fulfill lower-end client needs. Someone posted about the KS-3C hosts being available after being out of stock for months. What they promise is an I3 grade machine with 8GB RAM, and 2TB of storage- which isn’t a bad system at all for about $10/mo.

Having a KS-1 (2GB Intel Atom based machine with 500GB HD), I’m aware of the network issues and limitations at Kimsufi (you’re not given console access, and you’re stuck with using their rescue network-boot to install your operating system of choice). This is a bit of an issue to work on initially, but you get used to checking your work twice. :)

A couple weeks ago I got tired of Debian on my KS-1, so I ended up virtualizing KVM on the system, and using the local hard disk as my “scratch space”. Long story short- I did an install of OpenBSD through the rescue media, giving this lower end machine a bit more security with less overhead.

When I received my notification that I got the KS-3 setup, I logged in to find I was actually given an I5 CPU, and 16GB of RAM! This is a very beefy system, and it would be a shame to waste it as a nameserver alone.

I decided that I wanted to virtualize this system, but I did not want to use the built-in mactun/libvirt hosting, as it does it’s own virtual DHCP with port translation- but without a lot of work, it’s intended to be temporary.

I setup the primary ethernet interface as a bridge, and that’d be all I needed to do if I wanted to run in public IP space. Kimsufi will not give you a second IP address- they tell you to upgrade to the SoYouStart network if you need more than one.

Not a problem! I created a secondary bridge tied to NO interfaces, and assigned my KVM to use that bridge interface, having given it it’s own MAC address (which is the simplest and most appropriate way to handle virtual machine interfaces):

iface br1 inet static
	address 192.168.x.Y
	network 192.168.x.0
	netmask 255.255.255.0
	broadcast 192.168.x.255
	bridge_fd 9
	bridge_hello 2
	bridge_maxage 12
	bridge_stp off
$virt-install --connect=qemu:///system --name=OpenBSD-DNS1 --ram=2048 \
 --vcpus=2 --cpu Nehalem,-invtsc --description "Virtual OpenBSD \
DNS server" --os-variant=openbsd4 --boot hd,network,menu=on \
--disk  /var/lib/libvirt/images/openbsdns1,size=20,sparse=false,\
cache=writeback  --network=bridge=br1,model=virtio, \
mac=xx:xx:xx:xx:xx:xx --video=vga --graphics \
vnc,listen=0.0.0.0,port=5959,password=x.x.x.x,passwordvalidto=Z \
--autostart --noautoconsole

Now, all I had to do was setup the host to forward the packets to itself and forward NAT from br1 through my primary interface/bridge, br0

$iptables -t nat -A POSTROUTING -s '192.168.x.0/24' -o br0 -j MAS
QUERADE

Opening VNC to my public interface on the given port dropped me right into my new KVM, so I was able to configure and install OpenBSD.

Finally, I setup forwarding for port on my external IP (gateway/host) machine to go to my virtual internal OpenBSD installation:

$iptables -A PREROUTING -t nat -i br0 -p tcp --dport 53 -j DNAT \
--to 192.168.x.y:53
$pptables -A PREROUTING -t nat -i br0 -p udp --dport 53 -j DNAT \
--to 192.168.x.y:53
$iptables -A FORWARD -p tcp -d 192.168.x.y --dport 53 -j ACCEPT
$iptables -A FORWARD -p udp -d 192.168.x.y --dport 53 -j ACCEPT

Note that the above isn’t taking full advantage of the system I have in place. What I’ve actually done is setup unbound as a caching authoritative-only DNS proxy on the external interface, which allows me to keep my actual zone data off of the machine which is open to the public for queries. I’ve now got my DNS service running on a virtual machine on the KS-3C, and am exposing no other part of the embedded system to the internet at large.

Now, what do I do with the other 3 vCPUs and 12GB of RAM?