Hetzner IP Subnet and VMware
Since Hetzner has change their way of handling IPs, I now post this approach to handling your subnets.
The good thing about this apporach, is that you begin to utilise a firewall, instead of putting all your virtual machines directly on the internet.
I then configure the virtual machines to be on a nat network interface, which i then use iptables to forward packages to.
More explanations will come later:
Here is my firewall script:
#!/bin/bash
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="189.xxx.xxx.xxx"
# Local Interface Information
LOCAL_IFACE="vmnetX"
LOCAL_IP="192.168.x.x"
LOCAL_NET="192.168.x.0/24"
LOCAL_BCAST="192.168.x.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
#Loopback problem
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Forward IPs
echo "Creating PREROUTING/POSTROUTING."
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
iptables -t nat -I POSTROUTING -s 192.168.x.10 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.11 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.12 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.13 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.14 -j SNAT --to 189.xxx.xxx.xxx
#allow already establashed connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow forward any related/establashed packets from $INET_IFACE to LAN
iptables -A FORWARD -o 192.168.x.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#NAT
echo "NAT EXT IP: 189.xxx.xxx.xxx"
echo "NAT Port 80 -> 192.168.x.10"
iptables -t nat -A PREROUTING -p tcp -d 189.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.x.13:80
iptables -A FORWARD -p tcp -d 192.168.x.13 --dport 80 -j ACCEPT
echo "NAT Port 443 -> 192.168.x.10"
iptables -t nat -A PREROUTING -p tcp -d 189.xxx.xxx.xxx --dport 5500 -j DNAT --to 192.168.x.13:443
iptables -A FORWARD -p tcp -d 192.168.x.13 --dport 443 -j ACCEPT
###############################################################################
#
# Local Settings
#
# sysctl location. If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.
SYSCTL="/sbin/sysctl -w"
# To echo the value directly to the /proc file instead
# SYSCTL=""
# the stateful connection tracking module
/sbin/modprobe ip_conntrack
# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp
# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp
# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc
# IPTables Location - adjust if needed
IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"
# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="189.xxx.xxx.xxx"
# Local Interface Information
LOCAL_IFACE="vmnetX"
LOCAL_IP="192.168.x.x"
LOCAL_NET="192.168.x.0/24"
LOCAL_BCAST="192.168.x.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
if [ "$1" = "stop" ]
then
echo "Firewall completely flushed! Now running with no firewall."
exit 0
fi
#Loopback problem
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#Forward IPs
echo "Creating PREROUTING/POSTROUTING."
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
echo "189.xxx.xxx.xxx"
iptables -t nat -I POSTROUTING -s 192.168.x.10 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.11 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.12 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.13 -j SNAT --to 189.xxx.xxx.xxx
iptables -t nat -I POSTROUTING -s 192.168.x.14 -j SNAT --to 189.xxx.xxx.xxx
#allow already establashed connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#allow forward any related/establashed packets from $INET_IFACE to LAN
iptables -A FORWARD -o 192.168.x.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#NAT
echo "NAT EXT IP: 189.xxx.xxx.xxx"
echo "NAT Port 80 -> 192.168.x.10"
iptables -t nat -A PREROUTING -p tcp -d 189.xxx.xxx.xxx --dport 80 -j DNAT --to 192.168.x.13:80
iptables -A FORWARD -p tcp -d 192.168.x.13 --dport 80 -j ACCEPT
echo "NAT Port 443 -> 192.168.x.10"
iptables -t nat -A PREROUTING -p tcp -d 189.xxx.xxx.xxx --dport 5500 -j DNAT --to 192.168.x.13:443
iptables -A FORWARD -p tcp -d 192.168.x.13 --dport 443 -j ACCEPT