Setting up a Debian Gateway Virtual Machine on PowerKVM

Aug 8, 2015 4 min read

There are many reasons why one would want to build its custom router instead of buying one. Control and flexibility are two reasons, and we need both when dealing with large traffic. The purpose of this guide is to give a step-by-step solution starting on how to build a virtual machine. For this, we will assume that PowerKVM is already up and running along with its network configurations.

So, for this guide we will need:

A PowerKVM machine
Two network cards

In this case, eth0 will be our internal network interface and eth1 our external network interface. Both of them will be bridged to the virtual machine and this configuration can be made through Kimchi’s web interface.

Creating a Debian Virtual Machine

Downloading the right ISO

First we’ll download Debian’s 8.1 DVD Image for PPC64el architecture. It can be found on this link and should be stored in /var/lib/kimchi/isos/ folder.

cd /var/lib/kimchi/isos
wget http://cdimage.debian.org/debian-cd/8.1.0/ppc64el/iso-dvd/debian-8.1.0-ppc64el-DVD-1.iso

Then run md5sum to see if the file is corrupted:

wget http://cdimage.debian.org/debian-cd/8.1.0/ppc64el/iso-dvd/MD5SUMS
md5sum -c MD5SUMS

The result should be:

debian-8.1.0-ppc64el-DVD-1.iso: OK

Otherwise, try downloading again.

Bringing to Life

Now that we have our ISO, we’ll create an qcow2 image using qemu to act as a hard drive. Those images should be stored in /var/lib/libvirt/images/.

qemu-img create -f qcow2 -o preallocation=metadata storage.qcow2 10G

Then, we can start the installation using virt-install:

virt-install -r 12228 --os-variant=debianwheezy --network bridge=virbr0,model=virtio --accelerate -n debian --vcpus=maxvcpus=16,sockets=2,cores=2,threads=4 -f ./storage.qcow2 --graphics vnc,listen=0.0.0.0 -c /var/lib/kimchi/isos/debian-8.1.0-ppc64el-DVD-1.iso

If you’re using a different OS, you can list all available options with:

virt-install --os-variant list

Instalation will start. In this case, it was done throught Kimchi’s web monitor, but can be done using libvirt. Proceed normally. After it’s finished, you can start your VM and login with:

virsh start debian
virsh console debian

#Network Configuration

As said before, eth0 and eth1 will be bridged to the VM through Kimchi’s web interface, where eth0 is our internal network interface and eth1, external network.

##Setting IPs We’ll edit /etc/network/interfaces file and assign static IP’s both internal and external. Your external address and gateway should be provided by your ISP.

nano /etc/network/interfaces

auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
   address 10.0.0.1
   netmask 255.255.255.0

allow-hotplug eth1
iface eth1 inet static
   address 0.0.0.0
   netmask 255.255.255.0
   gateway 0.0.0.0

Edit your /etc/resolv.conf if needed by your ISP:

nano /etc/resolv.conf

nameserver ISP_server;
search ISP_address;

After restarting your network service, you should have something like this:

systemctl restart networking && ifconfig

eth0      Link encap:Ethernet  HWaddr 52:54:00:37:bc:11
          inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0

eth1      Link encap:Ethernet  HWaddr 52:54:00:7b:74:6f
          inet addr: 0.0.0.0  Bcast:0.0.0.0  Mask:255.255.255.0

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0

See if it’s working by pinging internal and external addresses:

ping www.cnn.com 
ping 10.0.0.5

##Routing Start by flushing all previous configurations, if they exist.

iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

We’ll now allow established connections, outgoing connections and setup masquerade as follows:

iptables -A INPUT -i lo -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

And now, we’ll allow IP Forwarding:

echo 1 > /proc/sys/net/ipv4/ip_forward

And your Iptables should look like this:

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Now a client should successfully connect to the internet.

##Making it Permanent Now we want to apply these iptables configurations everytime we start this machine. This can be done by saving them in a file and restoring on the next boot.

iptables-save >> /etc/iptables.rules

On /etc/network/interfaces, add this line underneath “iface lo inet loopback”:

nano /etc/network/interfaces

pre-up iptables-restore < /etc/iptables.rules

#That’s it

By now you should have a basic Linux gateway for your network. Much more advanced configuration can be done that can add enormous flexibility. It’s up to you to start exploring and unleash the true power of having a dedicated machine as your router.