@ wrote... (9 years, 6 months ago)

I thought I had posted this ages ago, but in case anybody needs to know how, here's how you setup a virtual kvm firewall. I'm using Smoothwall but any distro would work.

Here's the relevant host config files. Eth0 is the external (internet facing) nic and eth1 is the internal nic. Setup the guests as normal.

You can also likely ignore the rc.local and start_network scripts as they are only needed if you want to connect to the internet from the host without running your virtual firewall. Once I got this working I never have.

I'm pretty sure this all works from a reboot but to be honest it's been so long since I've rebooted my host I'm not positive.

Note: ignore everything between '::::::::::::::', that's the 'more *' output.

::::::::::::::
ifcfg-br0
::::::::::::::
DEVICE=br0
BOOTPROTO=none
ONBOOT=no
TYPE=bridge

MACADDR=fe:ff:ff:ff:ff:00
PEERDNS=no
IPV6INIT=no
NM_CONTROLLED=no
USERCTL=no
::::::::::::::
ifcfg-br1
::::::::::::::
# Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller
DEVICE=br1
ONBOOT=no
TYPE=bridge

BOOTPROTO=none
BROADCAST=192.168.5.255
IPADDR=192.168.5.1
NETMASK=255.255.255.0
NETWORK=192.168.5.0

PEERDNS=no
IPV6INIT=no
NM_CONTROLLED=no
GATEWAY=192.168.5.254
USERCTL=no
::::::::::::::
ifcfg-eth0
::::::::::::::
# 3Com Corporation 3c900B-TPO Etherlink XL [Cyclone]
DEVICE=eth0
HWADDR=00:50:04:7F:B5:A3
ONBOOT=no
BRIDGE=br0
::::::::::::::
ifcfg-eth1
::::::::::::::
# Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller
DEVICE=eth1
HWADDR=00:16:17:D8:FC:32
ONBOOT=no
BRIDGE=br1
BOOTPROTO=none
USERCTL=no
IPV6INIT=no
NM_CONTROLLED=no
TYPE=Ethernet
::::::::::::::
/etc/libvirt/qemu/fw.xml
::::::::::::::
<domain type='kvm'>
<name>fw</name>
<uuid>76bfb29c-ebd8-7d25-6009-0874d8cca460</uuid>
<memory>98304</memory>
<currentMemory>98304</currentMemory>
<vcpu>1</vcpu>
<os>
<type>hvm</type>
<boot dev='hd'/>
</os>
<clock offset='utc'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>destroy</on_crash>
<features><acpi/></features>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<!-- emulator>/usr/bin/qemu-system-x86_64</emulator -->
<disk type='block' device='disk'>
<source dev='/dev/lvm-1/vm-fw'/>
<target dev='hda'/>
</disk>
<disk type='file' device='cdrom'>
<source file=''/>
<target dev='hdc'/>
<readonly/>
</disk>
<interface type='bridge'>
<mac address='00:50:04:7f:b5:a3'/>
<source bridge='br0'/>
</interface>
<interface type='bridge'>
<mac address='00:16:3e:06:8c:10'/>
<source bridge='br1'/>
</interface>
<input type='mouse' bus='ps2'/>
<graphics type='vnc' port='-1' listen='127.0.0.1'/>
</devices>
</domain>
::::::::::::::
/etc/rc.d/rc.local (end of)
::::::::::::::
CURR_RUNLEVEL=`runlevel | cut -d ' ' -f 2`
if [ $CURR_RUNLEVEL -ge "3" ]; then
echo -n
/usr/local/bin/start_network bridge
fi

virsh start fw
virsh start magneto
virsh start gaius
::::::::::::::
/usr/local/bin/start_network
::::::::::::::
#!/bin/bash

cd /etc/sysconfig/network-scripts

# if no parameter given assume bridge
# call ourselves with bridge and exit
if [ -z $1 ]; then
$0 bridge
exit
fi

# setup soft link
if [ $1 == "dhcp" ]; then
ln -sf dhcp-ifcfg-eth0 ifcfg-eth0
TYPE="dhcp"
else
ln -sf bridge-ifcfg-eth0 ifcfg-eth0
TYPE="bridge"
fi

if [ $TYPE == "dhcp" ]; then

service network restart

ip link set eth0 down
ip link set eth0 address 00:50:04:7F:B5:A3 arp on

ifup eth0
ifup eth1
ifup br1        # but with no ip address, new mac address

service libvirtd restart

modprobe ipt_MASQUERADE
modprobe iptable_nat
# Enable ip_forwarding (masq) and syn DOS protection
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

iptables -F
iptables -Z
iptables -F -t nat
iptables -Z -t nat

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i br1 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport ssh -j ACCEPT

#iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
iptables -A FORWARD -s 192.168.5.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.5.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -t nat -A PREROUTING -i eth0 -p tcp -d 70.75.174.186 --dport http -j DNAT --to-destination 19
2.168.5.10
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 70.75.174.186 --dport https -j DNAT --to-destination 1
92.168.5.10
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 70.75.174.186 --dport smtp -j DNAT --to-destination 19
2.168.5.10
iptables -t nat -A PREROUTING -i eth0 -p tcp -d 70.75.174.186 --dport imaps -j DNAT --to-destination 1
92.168.5.10
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 72.13.190.34 -d 70.75.174.186 --dport https -j DNAT --
to-destination 192.168.5.10:22

iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j SNAT -o eth0 --to-source 70.75.174.186
iptables -t nat -A POSTROUTING -s 192.168.5.0/24 -j SNAT -o eth0 --to-source 70.75.174.186

else    # bridge

# assumes that the only network device started is lo

ip link set eth0 down
ip link set eth0 address 00:ff:ff:ff:ff:00 arp off

ifup eth0
ifup eth1

sleep 1

ifup br0        # but with no ip address, new mac address
ifup br1        # but with no ip address, new mac address

route add default gw 192.168.5.254

iptables -F             # flush rules
iptables -Z             # zero counts

iptables -P FORWARD DROP
iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

/etc/rc.d/init.d/libvirtd start
fi
Category: tech, Tags: kvm, linux
Comments: 0
Click here to add a comment