Hetzner - DokuWiki

Netzkonfiguration Debian/en
(Die Seite wurde neu angelegt: „{{Languages|Netzkonfiguration_Debian}} {{IP-Disclaimer}} == Haupt-IP-Adresse == === IPv4 === Die Hauptadresse eines Hetzner-Servers liegt in der Regel in ein…“)
 
(Additional IP Addresses (Host): update translation)
 
(36 dazwischenliegende Versionen von 8 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
 
{{Languages|Netzkonfiguration_Debian}}
 
{{Languages|Netzkonfiguration_Debian}}
  
{{IP-Disclaimer}}
+
== Main IP Address ==
 
+
== Haupt-IP-Adresse  ==
+
  
 
=== IPv4 ===
 
=== IPv4 ===
  
Die Hauptadresse eines Hetzner-Servers liegt in der Regel in einem /27-Netz. Um die (versehentliche) Übernahme fremder IP-Adresse zu verhindern, verwirft Hetzners Netz-Infrastruktur Ethernet-Pakete, die nicht an die Gateway-Adresse gerichtet sind. Um auch Server im gleichen Netzsegment ansprechen zu können, richtet die Hetzner-Standardinstallation eine explizite Route ein, die Pakete an das eigene Subnetz über das Gateway leitet und nicht direkt zustellt.
+
==== Dedicated Servers ====
  
Diese Lösung ist jedoch unschön, da doppelte und widersprüchliche Informationen in der Routing-Tabelle auftauchen. Eine sauberere Möglichkeit, diese Konfiguration zu erreichen, besteht darin, die Haupt-Adresse mit der Netzmaske 255.255.255.255 (/32) zu versehen; der Server geht so davon aus, sich alleine in seinem Ethernet-Segment zu befinden und stellt keine Pakete direkt zu. Damit er nun jedoch das Gateway erreichen kann, benötigen wir eine explizite Host-Route dorthin: Dies geht mit Debian sehr einfach, indem wir die Option "pointopoint 192.168.0.1" in die Konfiguration einfügen - "192.168.0.1" ist natürlich die IP-Adresse des Gateways.
+
The main IP of a dedicated server is usually located in a /26 or /27 subnet. In order to prevent the accidental use of a foreign IP address, our infrastructure rejects any Ethernet packets that are not addressed to the gateway address. In order to reach a server in the same subnet, our standard images already have a static route in their network configuration. The static route forwards the entire traffic to the subnet via the gateway.
  
  ## /etc/network/interfaces Beispiel Hetzner Rootserver
+
This is not the best solution as duplicate and inconsistent information appears in the routing table. A better way to reach a server in your subnet is to set the netmask to 255.255.255.255 (/32). The server assumes it is alone in this subnet and will not send any packets directly. However, an explicit host route to the gateway is now needed. This is very easy to do with Debian by adding the option "pointopoint 192.168.0.1" in the configuration. Please change "192.168.0.1" to the valid IP address of your gateway.
 +
 
 +
  ## /etc/network/interfaces example Hetzner root server
 
  # Loopback-Adapter
 
  # Loopback-Adapter
 
  auto lo
 
  auto lo
 
  iface lo inet loopback
 
  iface lo inet loopback
 
+
#
  # LAN-Schnittstelle
+
  # LAN interface
 
  auto eth0
 
  auto eth0
 
  iface eth0 inet static
 
  iface eth0 inet static
   # Haupt-IP-Adresse des Servers
+
   # Main IP address of the server
 
   address 192.168.0.250
 
   address 192.168.0.250
   # Netzmaske 255.255.255.255 (/32) unabhängig von der
+
   # Netmask 255.255.255.255 (/32) independent from the
   # realen Netzaufteilung (z.B. /27)
+
   # real subnet size (e.g. /27)
 
   netmask 255.255.255.255
 
   netmask 255.255.255.255
   # Explizite Hostroute zum Gateway
+
   # explicit host route to the gateway
 
   gateway 192.168.0.1
 
   gateway 192.168.0.1
 
   pointopoint 192.168.0.1
 
   pointopoint 192.168.0.1
  
Die in der Hetzner-Standardkonfiguration vorgesehene zusätzliche Route ist damit nicht mehr nötig.
+
The additional route to the gateway is now no longer necessary.
 +
 
 +
==== vServers (VQ/VX models) ====
 +
 
 +
With virtual servers, the configuration is similar to that of dedicated servers. There is no differentiation. However, unlike the dedicated server, the additional route can be removed directly as the assignment between IP addresses and MAC addresses has already been set up in the virtual server host.
 +
 
 +
Servers in the same subnet can be reached directly without any further adjustment.
 +
 
 +
==== vServers (CX models) ====
 +
 
 +
The configuration of standard installations is done via DHCP since, with CX vServers, the public IP is assigned to the interal IP via 1:1 NAT. A static configuration is possible - but it is not recommended since future new features might require you to make adjustments.
  
 
=== IPv6 ===
 
=== IPv6 ===
  
Im Prinzip gilt für IPv6 das gleiche wie im IPv4 Abschnitt erwähnt. Statt der einzelnen Haupt-IP bekommt man einen /64 Block. Und statt des /27 Subnetzes befindet man sich in einem /59 Subnetz. Direkte Kommunikation im /59 Subnetz ist nicht möglich sondern wird vom Switch verworfen. Deshalb muss der gesamte Traffic, also auch der im eigenen Subnetz, über das Gateway gehen.
+
==== Dedicated Servers / CX vServers ====
  
Im Gegensatz zur IPv4 Konfiguration gibt es für IPv6 keinen "pointopoint" Eintrag. Deshalb wird die Host-Route zum Gateway manuell mittels "pre-up" gesetzt.
+
In principle the above applies to IPv6 as well. But instead of a single main IP, you get a /64 block.
  
Beispiel:
+
As opposed to the IPv4 configuration, there is no "pointopoint" setting in IPv6.
* Adressblock: 2a01:4f8:61:20e1::2 bis 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
+
* Davon verwenden wir die erste Adresse 2a01:4f8:61:20e1::2
+
* Gateway: 2a01:4f8:61:20e0::1
+
  
  ## /etc/network/interfaces Beispiel Hetzner Rootserver
+
For example:
 +
* Address block: 2a01:4f8:61:20e1::2 untill 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
 +
* We use the first address from this: 2a01:4f8:61:20e1::2
 +
* Gateway: fe80::1
 +
 
 +
  ## /etc/network/interfaces example Hetzner root server
 
  # Loopback-Adapter
 
  # Loopback-Adapter
 
  auto lo
 
  auto lo
 
  iface lo inet loopback
 
  iface lo inet loopback
 +
#
 +
# IPv6 LAN
 +
auto eth0
 +
iface eth0 inet6 static
 +
  # Main IPv6 Address of the server
 +
  address 2a01:4f8:61:20e1::2
 +
  netmask 64
 +
  gateway fe80::1
  
 +
==== vServers (VQ/VX models) ====
 +
 +
With these virtual server models, the gateway is within the allocated /64 subnet.
 +
 +
For example:
 +
* Address block: 2a01:4f8:61:20e1::2 untill 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
 +
* Gateway: 2a01:4f8:61:20e1::1
 +
 +
## /etc/network/interfaces example Hetzner Virtual Server
 +
# Loopback-Adapter
 +
auto lo
 +
iface lo inet loopback
 +
#
 
  # IPv6 LAN
 
  # IPv6 LAN
 
  auto eth0
 
  auto eth0
 
  iface eth0 inet6 static
 
  iface eth0 inet6 static
   # Haupt-IPv6-Adresse des Servers
+
   # Main IPv6 Address of the server
 
   address 2a01:4f8:61:20e1::2
 
   address 2a01:4f8:61:20e1::2
 
   netmask 64
 
   netmask 64
   # Host-Route, da das Gateway ausserhalb des eigenen /64 Blocks liegt
+
   gateway 2a01:4f8:61:20e1::1
  up ip -6 route add 2a01:4f8:61:20e0::1 dev eth0
+
  # Host-Route, da das Gateway ausserhalb des eigenen /64 Blocks liegt
+
  down ip -6 route del 2a01:4f8:61:20e0::1 dev eth0
+
  # Default Route
+
  up ip -6 route add default via 2a01:4f8:61:20e0::1 dev eth0
+
  down ip -6 route del default via 2a01:4f8:61:20e0::1 dev eth0
+
  
 
=== IPv4 + IPv6 ===
 
=== IPv4 + IPv6 ===
  
Gewöhnlich wird man (bis auf weiteres) IPv4 und IPv6 parallel verwenden. Dazu werden einfach die beiden Konfigurationsdateien aneinandergefügt und die doppelten Einträge weggelassen.
+
It is expected that over the next few years, IPv4 and IPv6 will be used in parallel. Both configuration files are simply joined together and duplicate entries omitted.
  
  ## /etc/network/interfaces Beispiel Hetzner Rootserver
+
==== Dedicated Servers ====
 +
 
 +
  ## /etc/network/interfaces example Hetzner root server
 
  # Loopback-Adapter
 
  # Loopback-Adapter
 
  auto lo
 
  auto lo
 
  iface lo inet loopback
 
  iface lo inet loopback
 
+
#
  # LAN-Schnittstelle
+
  # LAN interface
 
  auto eth0
 
  auto eth0
 
  iface eth0 inet static
 
  iface eth0 inet static
   # Haupt-IP-Adresse des Servers
+
   # Main IP address of the server
 
   address 192.168.0.250
 
   address 192.168.0.250
   # Netzmaske 255.255.255.255 (/32) unabhängig von der
+
   # Netmask 255.255.255.255 (/32) independent from the
   # realen Netzaufteilung (z.B. /27)
+
   # real subnet size (e.g. /27)
 
   netmask 255.255.255.255
 
   netmask 255.255.255.255
   # Explizite Hostroute zum Gateway
+
   # explicit host route to the gateway
 
   gateway 192.168.0.1
 
   gateway 192.168.0.1
 
   pointopoint 192.168.0.1
 
   pointopoint 192.168.0.1
 
+
#
 
  iface eth0 inet6 static
 
  iface eth0 inet6 static
   # Haupt-IPv6-Adresse des Servers
+
   # Main IPv6 Address of the server
 
   address 2a01:4f8:61:20e1::2
 
   address 2a01:4f8:61:20e1::2
 
   netmask 64
 
   netmask 64
   # Host-Route, da das Gateway ausserhalb des eigenen /64 Blocks liegt
+
   gateway fe80::1
  up ip -6 route add 2a01:4f8:61:20e0::1 dev eth0
+
  # Host-Route, da das Gateway ausserhalb des eigenen /64 Blocks liegt
+
  down ip -6 route del 2a01:4f8:61:20e0::1 dev eth0
+
  # Default Route
+
  up ip -6 route add default via 2a01:4f8:61:20e0::1 dev eth0
+
  down ip -6 route del default via 2a01:4f8:61:20e0::1 dev eth0
+
  
== Zusätzliche IP-Adressen  ==
+
==== Virtual Servers ====
  
Alle alten Serverpakete der DS-Serie enthalten ein /29-Subnetz, dass 6 weitere Adressen beinhaltet. Dieses Netz schließt sich nicht direkt an die Hauptadresse an, sondern muss im Hetzner-Robot beantragt werden.
+
## /etc/network/interfaces Example Hetzner Virtual Server
 +
# Loopback-Adapter
 +
auto lo
 +
iface lo inet loopback
 +
#
 +
# LAN interface
 +
auto eth0
 +
iface eth0 inet static
 +
  # Main IP address of the server
 +
  address 192.168.0.250
 +
  netmask 255.255.255.224
 +
  gateway 192.168.0.1
 +
#
 +
# IPv6 LAN
 +
iface eth0 inet6 static
 +
  # Main IPv6 Address of the server
 +
  address 2a01:4f8:61:20e1::2
 +
  netmask 64
 +
  gateway 2a01:4f8:61:20e1::1
  
Neue Server der EQ-Serie erhalten auf Antrag vier einzelne IP-Adressen. Die Konfiguration erfolgt jedoch auf die gleiche Weise:
+
== Additional IP Addresses (Host) ==
  
Um die zusätzlichen Adressen auf dem Server zu nutzen, wird das Paket "iproute" mit dem Dienstprogramm "ip" benötigt. Konfigurationen mit Alias-Schnittstellen (eth0:1, eth0:2 etc.) sind veraltet und sollten keine Verwendung mehr finden. Um eine Adresse hinzuzufügen, genügt das folgende Kommando:
+
For our dedicated root servers (with the exception of SX131/291 models), you can order up to 6 additional single IPs. The network configuration is similar in both cases.
 +
 
 +
In order to use the additional addresses on the server (no virtualization) the package "iproute" and service program "ip" are needed. Configuration with alias interfaces (such as eth0:1, eth0:2 etc.) are outdated and should no longer be used. To add an address please run:
  
 
  ip addr add 10.4.2.1/32 dev eth0
 
  ip addr add 10.4.2.1/32 dev eth0
  
Der Befehl "ip addr" zeigt die momentan aktiven IP-Adressen an. Da das Subnetz dem Server exklusiv zur Verfügung steht, ist es auch hier sinnvoll, die Adressen mit der Präfixlänge /32, also der Subnetzmaske 255.255.255.255 hinzuzufügen.
+
The command "ip addr" shows the IP addresses which are currently active. As the server uses the entire subnet, it is also useful here to add the addresses with the prefix /32, which means the subnet mask is 255.255.255.255
  
Leider bieten die Konfigurationsmechanismen der Debian-Distriution keine Möglichkeit, mehrere IP-Adressen in der Datei "/etc/network/interfaces" zu hinterlegen. Diese Problem kann manuell oder mit einem speziellen Skript umgangen werden:
+
=== Configuration ===
  
=== Manuelle Konfiguration ===
+
In '''/etc/network/interfaces''', insert the following two lines in the appropriate interface (e.g. "eth0"):
In der <tt>/etc/network/interfaces</tt> werden unter dem entsprechenden Interface (hier <tt>eth0</tt>) die folgenden beiden Zeilen eingefügt:
+
  up ip addr add 10.4.2.1/32 dev eth0
+
  down ip addr del 10.4.2.1/32 dev eth0
+
<tt>up</tt> und <tt>down</tt> erwarten einfach eine Zeile Shell-Code und könnnen für mehrere Adressen wiederholt vorkommen. Der Nachteil: sowohl Schnittstellenname als auch die einzustellende Adresse müssen jeweils zwei mal aufgeführt werden, bei einer größeren Anzahl Adressen wird die Konfiguration daher unübersichtlich und fehleranfällig; ändern sich die Daten, müssen alle Einträge angepasst werden.
+
  
=== Konfiguration via addresses-Skript ===
+
up ip addr add 10.4.2.1/32 dev eth0
 +
down ip addr del 10.4.2.1/32 dev eth0
  
Das Skript befindet sich im Paket "ifupdown-scripts-wa", das jedoch nicht Teil der offiziellen Debian-Distribution ist; fügt man folgende Zeile zur APT-Konfiguration hinzu, reicht der Befehl "apt-get install ifupdown-scripts-wa" um das Skript korrekt zu installieren:
+
"up" and "down" expect just one line of shell code and this can be repeated for several addresses. The disadvantage is that both the interface name and address must be listed twice. If many IPs are used, the configuration file becomes confusing and prone to errors. If the data is changed, all entries need to be adjusted.
  
  # /etc/apt/sources.list.d/wertarbyte.list
+
=== Alternative configuration via addresses script ===
  # Tartarus, ifupdown-scripts etc.
+
  deb http://wertarbyte.de/apt/ ./
+
  
Die gesamte Installationsroutine lässt sich mit den folgenden Befehlen abkürzen:
+
''ATTENTION'': '''The following instructions involve the installation of software by a third party (www.wertarbyte.de). This is not supported by Hetzner. In the event of errors or problems, please contact the [http://www.wertarbyte.de/kontakt.shtml developer].'''
  
  wget -P/etc/apt/sources.list.d/ http://wertarbyte.de/apt/wertarbyte-apt.list
+
The script is in package "ifupdown-scripts-wa", which is not a part of the official Debian distribution. If the following line is added for APT configuration, the  "apt-get install ifupdown-scripts-wa" command is sufficient in order to install the script correctly:
  wget -O - http://wertarbyte.de/apt/software-key.gpg | apt-key add -
+
  apt-get update
+
  apt-get install ifupdown-scripts-wa
+
  
Wer das Skript nicht über das Paketsystem installieren möchte, kann es auch manuell herunterladen: http://wertarbyte.de/debian/ifupdown/addresses. Es wird im Verzeichnis "/etc/network/if-up.d/" abgelegt und zusätzlich nach "/etc/network/if-down.d/" verlinkt:
+
# /etc/apt/sources.list.d/wertarbyte.list
 +
# Tartarus, ifupdown-scripts etc.
 +
deb http://wertarbyte.de/apt/ ./
 +
 
 +
The complete installation routine can be shortened using the following commands:
 +
 
 +
wget -P/etc/apt/sources.list.d/ http://wertarbyte.de/apt/wertarbyte-apt.list
 +
wget -O - http://wertarbyte.de/apt/software-key.gpg | apt-key add -
 +
apt-get update
 +
apt-get install ifupdown-scripts-wa
 +
 
 +
If you do not wish to install the script using the package system, it can also be downloaded manually: http://wertarbyte.de/debian/ifupdown/addresses. It is filed in the '''/etc/network/if-up.d/''' directory and also linked with '''/etc/network/if-down.d/''':
  
 
  cd /etc/network/if-up.d/ &amp;&amp; \
 
  cd /etc/network/if-up.d/ &amp;&amp; \
Zeile 136: Zeile 182:
 
  ln -s ../if-up.d/addresses .
 
  ln -s ../if-up.d/addresses .
  
Die Installation über das Paketsystem wird jedoch empfohlen, da so stets die aktuelle Version des Skripts verfügbar ist.
+
Installation via packet system is recommended as the current version of the script is always available.
  
Das Skript erweitert die Syntax der Konfigurationsdatei um eine neue Anweisung namens "addresses", mit der zusätzliche zu bindende IP-Adressen (mit der Netzmaske in /-Notation) angegeben werden können:
+
The script extends the syntax of the configuration file by adding a new command "addresses". This enables the specification of additional binding IP addresses (with the netmask in /-notation):
  
 
  addresses 10.4.2.1/32 10.4.2.2/32 10.4.2.3/32
 
  addresses 10.4.2.1/32 10.4.2.2/32 10.4.2.3/32
  
Fügt man diese Zeile zur Konfiguration der Schnittstelle "eth0" hinzu, so werden die Adressen beim Aktivieren der Schnittstelle hinzugefügt und bei deren Deaktivierung wieder entfernt.
+
If this line is added to configure the "eth0" interface, addresses are added upon activating the interface and removed upon deactivation.
  
Zusätzlich ist es möglich, mehrere Zeilen zu verwenden, um Adressen in Kategorien zu bündeln und die Konfiguration übersichtlicher zu gestalten:
+
It is also possible to use several lines to bundle addresses into categories and to make configuration more transparent:
  
 
  addresses      10.4.2.1/32
 
  addresses      10.4.2.1/32
Zeile 150: Zeile 196:
 
  addresses-mail  10.4.2.4/32            # Mailserver
 
  addresses-mail  10.4.2.4/32            # Mailserver
  
Das Skript erfasst sämtliche Anweisungen, die mit dem Schlüsselwort "addresses-" und einer frei wählbaren Bezeichnung beginnen. Eine Bezeichnung darf nicht doppelt verwendet werden, da ansonsten ifupdown einen Syntaxfehler anzeigt und die Konfiguration der Schnittstelle abbricht - unter Umständen ist der Server dadurch nicht mehr erreichbar.
+
The script captures various commands that start with the key word "addresses-" and a label of your choice. Labels should not be used twice, as otherwise a syntax error is shown for ifupdown and configuration of the interface is interrupted. This can result in the server not being reachable.
  
Die via "ip addr" hinzugefügten IP-Adressen sind in der Ausgabe von "ifconfig" nicht sichtbar; um sie anzuzeigen, wird der Befehl "ip addr show" benötigt. Das addresses-Skript kann jedoch auch Alias-Geräte anlegen:
+
The IP addresses which have been added via "ip addr" are not visible in the output of  "ifconfig" ; the command "ip addr show" is required to show these. However, the addresses script can also set up alias devices:
  
  addresses 10.0.0.1/32 10.0.0.2/32 10.0.0.3/32
+
addresses 10.0.0.1/32 10.0.0.2/32 10.0.0.3/32
  create_alias_devices yes
+
create_alias_devices yes
 +
 
 +
The script creates consecutively numbered eth0:X devices using this configuration, which are also visible in "ifconfig".
 +
 
 +
Instead of simply numbering the devices, it is also possible to use the labels from the configuration:
 +
 
 +
addresses-https 10.0.0.1/32 10.0.0.3/32
 +
addresses-vhost 10.0.0.2/32
 +
label_addresses yes
 +
 
 +
The addresses are subsequently labelled "eth0:https" or "eth0:vhost" in the output of "ip addr" and are also shown in "ifconfig".
 +
 
 +
== Additional IP Addresses (Virtualization) ==
 +
 
 +
With virtualization the additional IP addresses are used via the guest system. So that these can be reached via the Internet, configuration in the host system needs to be adjusted accordingly in order to forward the packets. There are two ways of doing this for additional single IPs:  Routed and Bridged.
 +
 
 +
=== Routed (brouter) ===
 +
 
 +
In this type of configuration, the packets are routed. This requires the setting up of an additional bridge with almost the same configuration (without gateway) as eth0.
 +
 
 +
Host:
 +
 
 +
auto eth0
 +
iface eth0 inet static
 +
    address (Main IP)
 +
    netmask 255.255.255.255
 +
    pointopoint (Gateway IP)
 +
    gateway (Gateway IP)
 +
#
 +
iface eth0 inet6 static
 +
  address 2a01:4f8:XX:YY::2
 +
  netmask 128
 +
  gateway fe80::1
 +
#
 +
auto virbr1
 +
iface virbr1 inet static
 +
    address (Main IP)
 +
    netmask 255.255.255.255
 +
    bridge_ports none
 +
    bridge_stp off
 +
    bridge_fd 0
 +
    pre-up brctl addbr virbr1
 +
    up ip route add (Additional IP)/32 dev virbr1
 +
    down ip route del (Additional IP)/32 dev virbr1
 +
  #
 +
  iface virbr1 inet6 static
 +
    address 2a01:4f8:XX:YY::2
 +
    netmask 64
 +
 
 +
A corresponding host route needs to be created for each additional IP address.
 +
The eth0 configuration remains unchanged for IPv4. For IPv6 the prefix is reduced from /64 to /128.
 +
 
 +
Guest:
 +
 
 +
auto eth0
 +
iface eth0 inet static
 +
    address (Additional IP)
 +
    netmask 255.255.255.255
 +
    pointopoint (Main IP)
 +
    gateway (Main IP)
 +
#
 +
iface eth0 inet6 static
 +
  address 2a01:4f8:XX:YY::4
 +
  netmask 64
 +
  gateway 2a01:4f8:XX:YY::2
  
Mit dieser Konfiguration legt das Skript durchnumerierte eth0:X-Geräte an, die auch in "ifconfig" sichtbar sind.
+
=== Bridged ===
  
Anstatt die Geräte nur zu numerieren kann man jedoch auch die Beschreibungen aus der Konfiguration verwenden:
+
With a bridged configuration, packets are sent directly. The guest system behaves as if it is independent. As this makes the MAC addresses of the guest system visible from the outside, a virtual MAC address needs to be requested for each IP address via the Hetzner Robot and assigned to the guest network card. The bridge gets the same network configuration as eth0.
  
   addresses-https 10.0.0.1/32 10.0.0.3/32
+
# remove or disable configuration for eth0
   addresses-vhost 10.0.0.2/32
+
#auto eth0
   label_addresses yes
+
#iface eth0 inet static
 +
#
 +
auto  br0
 +
iface br0 inet static
 +
  address (Main IP)
 +
   netmask (like eth0, e.g: 255.255.255.254)
 +
   gateway (same as that for the main IP)
 +
  bridge_ports eth0
 +
  bridge_stp off
 +
  bridge_fd 1
 +
  bridge_hello 2
 +
   bridge_maxage 12
  
Die Adressen werden daraufhin in der Ausgabe von "ip addr" mit den Beschriftungen "eth0:https" bzw. "eth0:vhost" versehen, die auch von "ifconfig" angezeigt werden.
+
The configuration of eth0 is omitted without replacement.
  
 +
[[Kategorie:Dedizierte Server]]
 
[[Kategorie:IP-Adressen]]
 
[[Kategorie:IP-Adressen]]
 +
[[Kategorie:Betriebssysteme]]
 +
[[Kategorie:Debian]]
 +
[[Kategorie:Ubuntu]]

Aktuelle Version vom 9. Dezember 2016, 15:03 Uhr

Inhaltsverzeichnis

Main IP Address

IPv4

Dedicated Servers

The main IP of a dedicated server is usually located in a /26 or /27 subnet. In order to prevent the accidental use of a foreign IP address, our infrastructure rejects any Ethernet packets that are not addressed to the gateway address. In order to reach a server in the same subnet, our standard images already have a static route in their network configuration. The static route forwards the entire traffic to the subnet via the gateway.

This is not the best solution as duplicate and inconsistent information appears in the routing table. A better way to reach a server in your subnet is to set the netmask to 255.255.255.255 (/32). The server assumes it is alone in this subnet and will not send any packets directly. However, an explicit host route to the gateway is now needed. This is very easy to do with Debian by adding the option "pointopoint 192.168.0.1" in the configuration. Please change "192.168.0.1" to the valid IP address of your gateway.

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1

The additional route to the gateway is now no longer necessary.

vServers (VQ/VX models)

With virtual servers, the configuration is similar to that of dedicated servers. There is no differentiation. However, unlike the dedicated server, the additional route can be removed directly as the assignment between IP addresses and MAC addresses has already been set up in the virtual server host.

Servers in the same subnet can be reached directly without any further adjustment.

vServers (CX models)

The configuration of standard installations is done via DHCP since, with CX vServers, the public IP is assigned to the interal IP via 1:1 NAT. A static configuration is possible - but it is not recommended since future new features might require you to make adjustments.

IPv6

Dedicated Servers / CX vServers

In principle the above applies to IPv6 as well. But instead of a single main IP, you get a /64 block.

As opposed to the IPv4 configuration, there is no "pointopoint" setting in IPv6.

For example:

  • Address block: 2a01:4f8:61:20e1::2 untill 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
  • We use the first address from this: 2a01:4f8:61:20e1::2
  • Gateway: fe80::1
## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# IPv6 LAN
auto eth0
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway fe80::1

vServers (VQ/VX models)

With these virtual server models, the gateway is within the allocated /64 subnet.

For example:

  • Address block: 2a01:4f8:61:20e1::2 untill 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
  • Gateway: 2a01:4f8:61:20e1::1
## /etc/network/interfaces example Hetzner Virtual Server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# IPv6 LAN
auto eth0
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway 2a01:4f8:61:20e1::1

IPv4 + IPv6

It is expected that over the next few years, IPv4 and IPv6 will be used in parallel. Both configuration files are simply joined together and duplicate entries omitted.

Dedicated Servers

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1
#
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway fe80::1

Virtual Servers

## /etc/network/interfaces Example Hetzner Virtual Server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  netmask 255.255.255.224
  gateway 192.168.0.1
#
# IPv6 LAN
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway 2a01:4f8:61:20e1::1

Additional IP Addresses (Host)

For our dedicated root servers (with the exception of SX131/291 models), you can order up to 6 additional single IPs. The network configuration is similar in both cases.

In order to use the additional addresses on the server (no virtualization) the package "iproute" and service program "ip" are needed. Configuration with alias interfaces (such as eth0:1, eth0:2 etc.) are outdated and should no longer be used. To add an address please run:

ip addr add 10.4.2.1/32 dev eth0

The command "ip addr" shows the IP addresses which are currently active. As the server uses the entire subnet, it is also useful here to add the addresses with the prefix /32, which means the subnet mask is 255.255.255.255

Configuration

In /etc/network/interfaces, insert the following two lines in the appropriate interface (e.g. "eth0"):

up ip addr add 10.4.2.1/32 dev eth0
down ip addr del 10.4.2.1/32 dev eth0

"up" and "down" expect just one line of shell code and this can be repeated for several addresses. The disadvantage is that both the interface name and address must be listed twice. If many IPs are used, the configuration file becomes confusing and prone to errors. If the data is changed, all entries need to be adjusted.

Alternative configuration via addresses script

ATTENTION: The following instructions involve the installation of software by a third party (www.wertarbyte.de). This is not supported by Hetzner. In the event of errors or problems, please contact the developer.

The script is in package "ifupdown-scripts-wa", which is not a part of the official Debian distribution. If the following line is added for APT configuration, the "apt-get install ifupdown-scripts-wa" command is sufficient in order to install the script correctly:

# /etc/apt/sources.list.d/wertarbyte.list
# Tartarus, ifupdown-scripts etc.
deb http://wertarbyte.de/apt/ ./

The complete installation routine can be shortened using the following commands:

wget -P/etc/apt/sources.list.d/ http://wertarbyte.de/apt/wertarbyte-apt.list
wget -O - http://wertarbyte.de/apt/software-key.gpg | apt-key add -
apt-get update
apt-get install ifupdown-scripts-wa

If you do not wish to install the script using the package system, it can also be downloaded manually: http://wertarbyte.de/debian/ifupdown/addresses. It is filed in the /etc/network/if-up.d/ directory and also linked with /etc/network/if-down.d/:

cd /etc/network/if-up.d/ && \
wget http://wertarbyte.de/debian/ifupdown/addresses && \
chmod +x addresses && \
cd ../if-down.d/ && \
ln -s ../if-up.d/addresses .

Installation via packet system is recommended as the current version of the script is always available.

The script extends the syntax of the configuration file by adding a new command "addresses". This enables the specification of additional binding IP addresses (with the netmask in /-notation):

addresses 10.4.2.1/32 10.4.2.2/32 10.4.2.3/32

If this line is added to configure the "eth0" interface, addresses are added upon activating the interface and removed upon deactivation.

It is also possible to use several lines to bundle addresses into categories and to make configuration more transparent:

addresses       10.4.2.1/32
addresses-https 10.4.2.2/32 10.4.2.3/32 # SSL-Websites
addresses-mail  10.4.2.4/32             # Mailserver

The script captures various commands that start with the key word "addresses-" and a label of your choice. Labels should not be used twice, as otherwise a syntax error is shown for ifupdown and configuration of the interface is interrupted. This can result in the server not being reachable.

The IP addresses which have been added via "ip addr" are not visible in the output of "ifconfig" ; the command "ip addr show" is required to show these. However, the addresses script can also set up alias devices:

addresses 10.0.0.1/32 10.0.0.2/32 10.0.0.3/32
create_alias_devices yes

The script creates consecutively numbered eth0:X devices using this configuration, which are also visible in "ifconfig".

Instead of simply numbering the devices, it is also possible to use the labels from the configuration:

addresses-https 10.0.0.1/32 10.0.0.3/32
addresses-vhost 10.0.0.2/32
label_addresses yes

The addresses are subsequently labelled "eth0:https" or "eth0:vhost" in the output of "ip addr" and are also shown in "ifconfig".

Additional IP Addresses (Virtualization)

With virtualization the additional IP addresses are used via the guest system. So that these can be reached via the Internet, configuration in the host system needs to be adjusted accordingly in order to forward the packets. There are two ways of doing this for additional single IPs: Routed and Bridged.

Routed (brouter)

In this type of configuration, the packets are routed. This requires the setting up of an additional bridge with almost the same configuration (without gateway) as eth0.

Host:

auto eth0
iface eth0 inet static
   address (Main IP)
   netmask 255.255.255.255
   pointopoint (Gateway IP)
   gateway (Gateway IP)
#
iface eth0 inet6 static
  address 2a01:4f8:XX:YY::2
  netmask 128
  gateway fe80::1
#
auto virbr1
iface virbr1 inet static
   address (Main IP)
   netmask 255.255.255.255
   bridge_ports none
   bridge_stp off
   bridge_fd 0
   pre-up brctl addbr virbr1
   up ip route add (Additional IP)/32 dev virbr1
   down ip route del (Additional IP)/32 dev virbr1
 #
 iface virbr1 inet6 static
   address 2a01:4f8:XX:YY::2
   netmask 64

A corresponding host route needs to be created for each additional IP address. The eth0 configuration remains unchanged for IPv4. For IPv6 the prefix is reduced from /64 to /128.

Guest:

auto eth0
iface eth0 inet static
   address (Additional IP)
   netmask 255.255.255.255
   pointopoint (Main IP)
   gateway (Main IP)
#
iface eth0 inet6 static
  address 2a01:4f8:XX:YY::4
  netmask 64
  gateway 2a01:4f8:XX:YY::2

Bridged

With a bridged configuration, packets are sent directly. The guest system behaves as if it is independent. As this makes the MAC addresses of the guest system visible from the outside, a virtual MAC address needs to be requested for each IP address via the Hetzner Robot and assigned to the guest network card. The bridge gets the same network configuration as eth0.

# remove or disable configuration for eth0
#auto eth0
#iface eth0 inet static
#
auto  br0
iface br0 inet static
 address (Main IP)
 netmask (like eth0, e.g: 255.255.255.254)
 gateway (same as that for the main IP)
 bridge_ports eth0
 bridge_stp off
 bridge_fd 1
 bridge_hello 2
 bridge_maxage 12

The configuration of eth0 is omitted without replacement.



© 2020. Hetzner Online GmbH. Alle Rechte vorbehalten.