Port forward to host-only networked guests possible?

Discussions related to using VirtualBox on Linux hosts.

Port forward to host-only networked guests possible?

Postby avonnieda » 21. Mar 2011, 21:37

Hi folks,

Seems like it ought to be pretty easy to port forward to guests on a host only network so that I can ssh to them from outside the host, but I must be missing something. Can anyone who's done this give me a hand, or let me know if it's not possible for whatever reason? I've tried the following on the host machine. I'm trying to forward port 2200 on the host to port 22 on the guest, and not an iptables expert by any means, but I've definitely been trying.

My Environment:
Virtualbox 4.04
Host: Redhat 5.5
Guests: Redhat 5.5 on host-only network

Trying to forward port 2200 to 192.168.56.101:22

iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 2200 -j DNAT --to 192.168.56.101:22
iptables -A FORWARD -i eth0 -p tcp -m state --state NEW --dport 2200 -j ACCEPT

Thanks very much,

-Adam vonNieda

EDIT ** If there's a better way to do what I'm trying to do, please share, I'm not married to host-only networking. What I want to be able to do is have static IP's on my guests, but not bridged, and be able to port forward to them from the host.

Thanks! :)
avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby vbox4me2 » 21. Mar 2011, 22:48

Nope, won't work by design, use Bridge with a router VM and internal networking. You could try using a windows Bridge between hostonly and the Host local adapter, inside that interface you can route traffic. I've had that working once but never documented it since the issue I had was solved differently. But whats wrong with VBox NAT ?
vbox4me2
Volunteer
 
Posts: 5222
Joined: 21. Nov 2008, 20:27
Location: Rotterdam

Re: Port forward to host-only networked guests possible?

Postby avonnieda » 21. Mar 2011, 22:54

Hi there vbox4me2, thanks for the reply.

I've got no problem at all using NAT, other than it seems quite dependent on DHCP. I want to use static IP's on my guests and have communication between them. I did set one up with a static IP under NAT, and I was no longer able to ssh out from the guest, if I remember correctly. Is that not the case? Can I use NAT but still have static IP's and communicate with other guests?

In other words, I need to bring up a database guest and an app server guest which need to communicate with each other, and I want to be able to hit these services from a desktop. Bridged would be the best option, but I can't use IP's from our physical network, I need to have my own virtual network.

Thanks,

-Adam
avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby Sasquatch » 21. Mar 2011, 23:11

The IP address you get with NAT is always the same, so don't worry about that. And if you change it from the one you would get from DHCP, then nothing will work on it.

What you forgot in your IPtables is that you forward NEW connections, but you do nothing with RELATED and ESTABLISHED. Forgetting that will get data towards the machine, but never out nor any related connection info after that (the third step of the three-way handshake and the actual connection).
To forward a port from the Host to the Guest with Host-Only, you just need these two entries:
Code: Select all   Expand viewCollapse view
iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --sport 2200 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

That should do it.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
Sasquatch
Volunteer
 
Posts: 17800
Joined: 17. Mar 2008, 13:41
Location: /dev/random
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux

Re: Port forward to host-only networked guests possible?

Postby avonnieda » 21. Mar 2011, 23:25

Code: Select all   Expand viewCollapse view
iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT


Thanks for the reply Sasquatch. Only thing that seems to be missing there is what port we're trying to forward, in my case it's 2200.
2200 -> 22

Am I overlooking something?

Thanks!

Adam
avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby Sasquatch » 21. Mar 2011, 23:48

Yeah, forgot that one part. I just copy/pasted the two lines from some other documentation I had and forgot to add the --sport 2200 in the first one.
Fixed the command in the post.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
Sasquatch
Volunteer
 
Posts: 17800
Joined: 17. Mar 2008, 13:41
Location: /dev/random
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux

Re: Port forward to host-only networked guests possible?

Postby avonnieda » 22. Mar 2011, 01:47

Thanks again Sasquatch, appreciate the help. I still can't get this damned thing to work though. Here's a log of my activity. If you have any other ideas I'm all ears :)

Following is ifconfig output for my interfaces, the iptables commands, and then I try to ssh to the host via port 2200 and get a connection refused. Next I ssh to the guest just to show that it is listening and reachable.

Code: Select all   Expand viewCollapse view
[root@virtualbox vbox]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:1C:23:C8:29:7D 
          inet addr:156.9.122.219  Bcast:156.9.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1649701 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:127353378 (121.4 MiB)  TX bytes:141296915 (134.7 MiB)
          Interrupt:169 Memory:f8000000-f8012800

[root@virtualbox vbox]# ifconfig vboxnet0
vboxnet0  Link encap:Ethernet  HWaddr 0A:00:27:00:00:00 
          inet addr:192.168.56.1  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:19704 (19.2 KiB)

[root@virtualbox vbox]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
       
[root@virtualbox vbox]# iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --sport 2200 --dport 22 -j ACCEPT
[root@virtualbox vbox]# iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@virtualbox vbox]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.56.101      tcp spt:ssh-2200 dpt:ssh-22

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination   
     
[root@virtualbox vbox]# ssh -p 2200 156.9.122.219
ssh: connect to host 156.9.122.219 port 2200: Connection refused

[root@virtualbox vbox]# ssh 192.168.56.101
root@192.168.56.101's password:
Last login: Mon Mar 21 16:37:31 2011
[root@obiee11 ~]#

avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby Sasquatch » 22. Mar 2011, 01:53

Get cracking with Google and iptables manuals. See what tcpdump shows you when you try to connect to port 2200 and debug your rules with that. IPtables isn't something we usually discuss here, it's outside the scope of this forum. Perhaps a more specialized forum can help you to find the answer.

Oh, wait a second. Did you enable IPv4 forwarding in /etc/sysctl.conf? You have to do that too, else nothing can get forwarded. To do it at run time, so you don't have to reboot, do this:
Code: Select all   Expand viewCollapse view
echo 1 > /proc/sys/net/ipv4/ip_forward
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
Sasquatch
Volunteer
 
Posts: 17800
Joined: 17. Mar 2008, 13:41
Location: /dev/random
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux

Re: Port forward to host-only networked guests possible?

Postby avonnieda » 22. Mar 2011, 01:56

Yep, I did do that. Thanks again for the help, I'll hit the books again. Just seemed like it's something that people would want to do quite commonly, I guess not.

Best regards,

-Adam
avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby Sasquatch » 22. Mar 2011, 22:23

Yeah, I've been thinking about it and I think you need to change the rules a bit so it does NAT properly. Now you just forward data to a certain IP, but there is no way back or something. There is more than meets the eye.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org

Retired from this Forum since OSSO introduction.
Sasquatch
Volunteer
 
Posts: 17800
Joined: 17. Mar 2008, 13:41
Location: /dev/random
Primary OS: Debian other
VBox Version: PUEL
Guest OSses: Windows XP, Windows 7, Linux

Re: Port forward to host-only networked guests possible?

Postby timefortea » 1. Aug 2011, 16:59

Hi there,
Did you have any luck with getting this working? I also want to do the same thing - I need a few Linux-based VMs to run within a virtual subnet as they need to talk to each other. I don't want to use real IPs from the physical network and I have to be able to port forward ssh to get access to the VMs. Port Forwarding is working fine when I use NAT but this isn't an option when using Internal Networking.

(I use Windows 7 as the host OS)

Thanks.

Chris.
timefortea
 
Posts: 1
Joined: 1. Aug 2011, 16:19
Primary OS: MS Windows 7
VBox Version: OSE other
Guest OSses: Windows XP, RHEL 5.4, CentOS 5.4, Ubuntu 11.04 Server

Re: Port forward to host-only networked guests possible?

Postby avonnieda » 1. Aug 2011, 17:17

Hi Chris,

No, I never did. I've since moved my VM's onto a different virtualization platform for other reasons, best of luck with it.

-Adam
avonnieda
 
Posts: 17
Joined: 18. Jul 2008, 23:57

Re: Port forward to host-only networked guests possible?

Postby tehknowledge » 2. Aug 2011, 22:53

Those iptables rules allows the 'routing' of the port. But does not do NAT. If you do not want NAT, you have to add a route to the source PC in order to use the virtualbox host for a gateway to the host-only network. However, it might now be able to get back to the client in the 'real world'. Use the iptables NAT rules like:

My host iptables (CentOS)

Code: Select all   Expand viewCollapse view
*nat
:PREROUTING ACCEPT [3:792]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Port 2200
-A PREROUTING -d 156.9.122.219 -p tcp -m tcp --dport 2200 -j DNAT --to-destination 192.168.56.101
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1961:200666]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Forward Rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 156.9.122.219 --dport 2200 -j ACCEPT
COMMIT
tehknowledge
 
Posts: 1
Joined: 2. Aug 2011, 22:44
Primary OS: Ubuntu other
VBox Version: OSE Debian
Guest OSses: RHEL/CENTOS/Windows


Return to VirtualBox on Linux Hosts

Who is online

Users browsing this forum: AmigoKiruxa and 26 guests