Network configuration Debian

Last change on 2021-04-22 • Created on 2020-05-18

Main IP address

IPv4

Dedicated root servers

The main IP of a dedicated root server is usually located in a /26 or /27 subnet. In order to prevent the accidental use of a foreign IP address, our infrastructure rejects any Ethernet packets that are not addressed to the gateway address. In order to reach a server in the same subnet, our standard images already have a static route in their network configuration. The static route forwards the entire traffic to the subnet via the gateway.

This is not the best solution; duplicate and inconsistent information appears in the routing table. A better way to reach a server in your subnet is to set the netmask to 255.255.255.255 (/32). The server assumes it is alone in this subnet and will not send any packets directly. However, you now need an explicit host route to the gateway. This is very easy to do with Debian by adding the option pointopoint 192.168.0.1 in the configuration. Please change 192.168.0.1 to the valid IP address of your gateway.

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1

The additional route to the gateway is now no longer necessary.

IPv6

Dedicated root servers / CX vServers

In principle, the above applies to IPv6 as well. But instead of a single main IP, you get a /64 block.

As opposed to the IPv4 configuration, there is no "point-to-point" setting in IPv6.

For example:

  • Address block: 2a01:4f8:61:20e1::2 until 2a01:4f8:61:20e1:ffff:ffff:ffff:ffff
  • We use the first address from this: 2a01:4f8:61:20e1::2
  • Gateway: fe80::1
## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# IPv6 LAN
auto eth0
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway fe80::1

IPv4 + IPv6

It is expected that over the next few years, IPv4 and IPv6 will be used in parallel. Simply join both configuration files together and omit duplicate entries.

Dedicated root servers

## /etc/network/interfaces example Hetzner root server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  # Netmask 255.255.255.255 (/32) independent from the
  # real subnet size (e.g. /27)
  netmask 255.255.255.255
  # explicit host route to the gateway
  gateway 192.168.0.1
  pointopoint 192.168.0.1
#
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway fe80::1

Virtual Servers

## /etc/network/interfaces Example Hetzner Virtual Server
# Loopback-Adapter
auto lo
iface lo inet loopback
#
# LAN interface
auto eth0
iface eth0 inet static
  # Main IP address of the server
  address 192.168.0.250
  netmask 255.255.255.224
  gateway 192.168.0.1
#
# IPv6 LAN
iface eth0 inet6 static
  # Main IPv6 Address of the server
  address 2a01:4f8:61:20e1::2
  netmask 64
  gateway 2a01:4f8:61:20e1::1

Additional IP addresses (host)

For our dedicated root servers (with the exception of SX131/291 models), you can order up to 6 additional single IPs. The network configuration is similar in both cases.

In order to use the additional addresses on the server (no virtualization), you need the package iproute and service program ip. Configuration with alias interfaces (such as eth0:1, eth0:2 etc.) are outdated; you should no longer use them. To add an address, please run:

ip addr add 10.4.2.1/32 dev eth0

The command ip addr shows the IP addresses which are currently active. The server uses the entire subnet, so it is also useful here to add the addresses with the prefix /32, which means the subnet mask is 255.255.255.255.

Configuration

In /etc/network/interfaces, insert the following two lines in the appropriate interface (e.g. eth0):

up ip addr add 10.4.2.1/32 dev eth0
down ip addr del 10.4.2.1/32 dev eth0

For up and down, expect just one line of shell code and this can be repeated for several addresses. The disadvantage is that you need to list both the interface name and address twice. If you are using many IPs, the configuration file becomes confusing and prone to errors. And if you change the data, you need to adjust all the entries.

Alternative configuration via addresses script

ATTENTIONThe following instructions involve the installation of software by a third party (www.wertarbyte.de). This is not supported by Hetzner. In the event of errors or problems, please contact the developer.

The script is in the package ifupdown-scripts-wa, which is not a part of the official Debian distribution. If you add the following line for APT configuration, you just need to use the apt-get install ifupdown-scripts-wa command to install the script correctly:

# /etc/apt/sources.list.d/wertarbyte.list
# Tartarus, ifupdown-scripts etc.
deb [http://wertarbyte.de/apt/](http://wertarbyte.de/apt/) ./

You can make the complete installation routine shorter using the following commands:

wget -P/etc/apt/sources.list.d/ [http://wertarbyte.de/apt/wertarbyte-apt.list](http://wertarbyte.de/apt/wertarbyte-apt.list)
wget -O - [http://wertarbyte.de/apt/software-key.gpg](http://wertarbyte.de/apt/software-key.gpg) | apt-key add -
apt-get update
apt-get install ifupdown-scripts-wa

If you do not wish to install the script using the package system, you can also download it manually: http://wertarbyte.de/debian/ifupdown/addresses. It is filed in the /etc/network/if-up.d/ directory and also linked with /etc/network/if-down.d/:

cd /etc/network/if-up.d/ && \
wget [http://wertarbyte.de/debian/ifupdown/addresses](http://wertarbyte.de/debian/ifupdown/addresses) && \
chmod +x addresses && \
cd ../if-down.d/ && \
ln -s ../if-up.d/addresses .

It is recommended to install the script via the packet system because the current version of the script is always available.

The script extends the syntax of the configuration file by adding a new command addresses. This lets you specify additional binding IP addresses (with the netmask in /-notation):

addresses 10.4.2.1/32 10.4.2.2/32 10.4.2.3/32

If you add this line to configure the "eth0" interface, addresses are added upon activating the interface and removed upon deactivation.

It is also possible to use several lines to bundle addresses into categories and to make the configuration more transparent:

addresses       10.4.2.1/32
addresses-https 10.4.2.2/32 10.4.2.3/32 # SSL-Websites
addresses-mail  10.4.2.4/32             # Mailserver

The script captures various commands that start with the key word addresses- and a label of your choice. You shouldn't use labels twice. Otherwise you will get a syntax error for ifupdown, and the configuration of the interface will be interrupted. This can result in the server not being reachable.

The IP addresses which you have added via ip addr are not visible in the output of ifconfig ; you need the command ip addr show to show these. However, the addresses script can also set up alias devices:

addresses 10.0.0.1/32 10.0.0.2/32 10.0.0.3/32
create_alias_devices yes

The script creates consecutively numbered eth0:X devices using this configuration, which are also visible in ifconfig.

Instead of simply numbering the devices, it is also possible to use the labels from the configuration:

addresses-https 10.0.0.1/32 10.0.0.3/32
addresses-vhost 10.0.0.2/32
label_addresses yes

The addresses are subsequently labelled eth0:https or eth0:vhost in the output of ip addr and are also shown in ifconfig.

Additional IP addresses (virtualization)

With virtualization, the additional IP addresses are used via the guest system. To make these reachable via the Internet, you need to adjust the configuration in the host system accordingly in order to forward the packets. There are two ways of doing this for additional single IPs: the routed and bridged methods.

Routed (brouter)

In this type of configuration, the packets are routed. For this method, you need to set up an additional bridge with almost the same configuration (without gateway) as eth0.

Host:

auto eth0
iface eth0 inet static
   address (Main IP)
   netmask 255.255.255.255
   pointopoint (Gateway IP)
   gateway (Gateway IP)
#
iface eth0 inet6 static
  address 2a01:4f8:XX:YY::2
  netmask 128
  gateway fe80::1
#
auto virbr1
iface virbr1 inet static
   address (Main IP)
   netmask 255.255.255.255
   bridge_ports none
   bridge_stp off
   bridge_fd 0
   pre-up brctl addbr virbr1
   up ip route add (Additional IP)/32 dev virbr1
   down ip route del (Additional IP)/32 dev virbr1
 #
 iface virbr1 inet6 static
   address 2a01:4f8:XX:YY::2
   netmask 64

You also need to create a corresponding host route for each additional IP address. For IPv4, the eth0 configuration remains unchanged. For IPv6, you need to reduce the prefix from /64 to /128.

Guest:

auto eth0
iface eth0 inet static
   address (Additional IP)
   netmask 255.255.255.255
   pointopoint (Main IP)
   gateway (Main IP)
#
iface eth0 inet6 static
  address 2a01:4f8:XX:YY::4
  netmask 64
  gateway 2a01:4f8:XX:YY::2

Bridged

With a bridged configuration, packets are sent directly. The guest system behaves as if it is independent. This makes the MAC addresses of the guest system visible from the outside, so you need to request a virtual MAC address for each single IP address. (Make a support request on Robot). Then assign the virutal MAC address to the guest network card. The bridge gets the same network configuration as eth0.

# remove or disable configuration for eth0
#auto eth0
#iface eth0 inet static
#
auto  br0
iface br0 inet static
 address (Main IP)
 netmask (like eth0, e.g: 255.255.255.254)
 gateway (same as that for the main IP)
 bridge_ports eth0
 bridge_stp off
 bridge_fd 1
 bridge_hello 2
 bridge_maxage 12

The configuration of eth0 is omitted without replacement.

Table of Contents