croissa
Contributor
Contributor

iptables, cores limit, upload to datastore.. in esxi 4.1

Jump to solution

I'd like to run a single windows 2008 virtual machine over the free vsphere 4.1 hypervisor.

The only goal is to use iptables to filter all the network traffic to the esxi host and the windows guest. I don't need any of the fancy virtualization features, I just need to protect a windows setup with an inexpensive but powerfull firewall, and though that virtualization could do the trick. I already tried with xitrix xenserver, and found several problems.. Now it's the time of vmware

The windows guest will run gameservers, so it is critical that no jitter and (almost) no delays are introduced in the network. I would also prefer avoid to commit CPU and RAM resources to a second virtual machine if it wasn't strictly necessary.

For this reason I'd rather do all the filtering with iptables at the host layer, and not in a linux guest. I see it is possible to enable SSH on the host and play with iptables, i guess on the INPUT (to protect the host) and FORWARD (to protect the guests) chains. Am I assuming correctly that this is pretty safe to do, provided that no network related settings will be touched in vsphere after this?

I'm not sure which are the limits of the free vsphere hypervisor edition. On a Xeon W3520 (4 cores + 4 hyper threading), will I be able to use all the 8 cores in the guest windows 2008 standard system (setting multiple cores per CPU as explained here, to avoid reaching the windows 4 sockets limit)?

What are my options to upload the windows .iso in the datastore? Last time I looked at the vsphere client, I could only upload it from my local hard drive and wget was not available in SSH (command not found). At my crappy ADSL upload speed of 384 kbps this isn't a viable option. The box is headless and located in a remote datacenter. I can have esxi installed via the automated netboot installer provided by the farm, which will format both the hard drives.

I guess I could get an answer for most of these questions by just trying it, but unfortunately the only box I have capable of running esxi is this one, and it is a production box.. so before doing it I need to document myself to be able to have it working quickly and with as little surprises as possible.

Thank you

0 Kudos
1 Solution

Accepted Solutions
FranckRookie
Leadership
Leadership

Hello Croisa,

Welcome to the forums.

There is no firewall in ESXi. See here : http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1026845 .

There is no other way but to use a virtual machine to filter access to the VMs and the management network.

To run a VM with 8 vCPUs you, need the Enterprise Plus license. And it is not recommended to give a VM all the processor cores the host has. vSphere needs some processor resources to run the guest. If your guest consumes all processor resources, your host won't be able to manage the guest properly.

To upload an Iso file to a datastore you can also use WinSCP or FastSCP.

Good luck.

Regards

Franck

View solution in original post

0 Kudos
6 Replies
FranckRookie
Leadership
Leadership

Hello Croisa,

Welcome to the forums.

There is no firewall in ESXi. See here : http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1026845 .

There is no other way but to use a virtual machine to filter access to the VMs and the management network.

To run a VM with 8 vCPUs you, need the Enterprise Plus license. And it is not recommended to give a VM all the processor cores the host has. vSphere needs some processor resources to run the guest. If your guest consumes all processor resources, your host won't be able to manage the guest properly.

To upload an Iso file to a datastore you can also use WinSCP or FastSCP.

Good luck.

Regards

Franck

View solution in original post

0 Kudos
croissa
Contributor
Contributor

Thank you for your reply, it is very clear and informative.

If there's no firewall on the host, even if I protect the windows VM using a linux VM with iptables, I guess that all the esxi services facing the internet are subject to be attacked.

I've been a victim of spoofed udp floods and windows couldn't handle them. Now I'm on debian 6 and iptables + hashlimit match module do the job, but I still need windows to run some gameservers that don't have a linux port. If iptables can't be used on the host, I fear I'll receive other attacks on the esxi services and take the machine to its knees. Or are the host services robust enough to handle floodings?

To run a VM with 8 vCPUs you, need the Enterprise Plus license.

There's no way I can afford that license for this project.

With the free vsphere hypervisor can I run two VMs with up to 6 vCPUs each?

What about vmware server? this would allow me to use iptables and run some linux gameservers on the host, and have windows protected in a VM.

I've read it is near its end of life, and offers lower performances than esxi being run as an application over another OS, which scares me a bit since gameservers are soft real-time applications.

To upload an Iso file to a datastore you can also use WinSCP or FastSCP.

i've been using filezilla so far to transfer files to linux hosts but even with FastSCP, unless I'm missing something, it would still take ages to upload a > 2 GB .iso at 384 kbps Smiley Sad

I don't have another vsphere server connected to a fast network with the .iso I need to do a ESX(i) to ESX(i) copy.

0 Kudos
croissa
Contributor
Contributor
To upload an Iso file to a datastore you can also use WinSCP or FastSCP.

i've been using filezilla so far to transfer files to linux hosts but even with FastSCP, unless I'm missing something, it would still take ages to upload a > 2 GB .iso at 384 kbps Smiley Sad

I don't have another vsphere server connected to a fast network with the .iso I need to do a ESX(i) to ESX(i) copy.

I guess I could upload a small pxeboot linux image, create a VM booting from it, wget the .iso and make a NFS share, add a new datastore from the NFS share, and finally create a windows VM

0 Kudos
DSTAVERT
Immortal
Immortal

You can have a look at VMware Server or VMware Workstation. They can both run on top of your Debian OS.

-- David -- VMware Communities Moderator
mcowger
Immortal
Immortal

Thank you for your reply, it is very clear and informative.

If there's no firewall on the host, even if I protect the windows VM using a linux VM with iptables, I guess that all the esxi services facing the internet are subject to be attacked.

I've been a victim of spoofed udp floods and windows couldn't handle them. Now I'm on debian 6 and iptables + hashlimit match module do the job, but I still need windows to run some gameservers that don't have a linux port. If iptables can't be used on the host, I fear I'll receive other attacks on the esxi services and take the machine to its knees. Or are the host services robust enough to handle floodings?

Most people just dont expose the mgmt interface to the internet at all.  They use a proper (non guest) firewall and/or VPNs to access the mgmt so that ESXi's mgmt interfaces are simply not subject to the kinds of attacks you are talking about.  I would *NOT* recommend exposing the ESXi mgmt interface directly to the internet.

With the free vsphere hypervisor can I run two VMs with up to 6 vCPUs each?

Nope - max would be quad core VMs with teh free license.

What about vmware server?

Sure, you could do it, but its going to introduce the kind of jitter that you say you dont want.  Unfortunately, you are wanting to do enterprise level things but are not willing to pay enterprise level costs Smiley Happy.  Something has to give.

To upload an Iso file to a datastore you can also use WinSCP or FastSCP.

i've been using filezilla so far to transfer files to linux hosts but even with FastSCP, unless I'm missing something, it would still take ages to upload a > 2 GB .iso at 384 kbps Smiley Sad

Again - such are the costs of doing enterprise stuff on hobbyist budget Smiley Happy

--Matt VCDX #52 blog.cowger.us
croissa
Contributor
Contributor

Eheh, you are absolutely right about me seeking enterprise features and having an hobbyist budget Smiley Happy

We run public gameservers for several games just because we enjoy doing it, our only income is from donations and they don't always cover the live expenses of the hardware and bandwidth.

(Un)fortunately we are quite popular, and this attracts all kinds of attacks by envious game servers owners or players angry for being banned for any reason from our servers..

It is so easy nowadays for script kiddies with too much free time to do nasty things on the internet, with minimal risks of being caught.

Without the attacks we could have been living happily with windows on the bare metal.. or with an appropriate budget we could afford an hardware firewall..

Thanks again for your answers

0 Kudos