Page 1 of 1

Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 21:37
by avonnieda
Hi folks,

Seems like it ought to be pretty easy to port forward to guests on a host only network so that I can ssh to them from outside the host, but I must be missing something. Can anyone who's done this give me a hand, or let me know if it's not possible for whatever reason? I've tried the following on the host machine. I'm trying to forward port 2200 on the host to port 22 on the guest, and not an iptables expert by any means, but I've definitely been trying.

My Environment:
Virtualbox 4.04
Host: Redhat 5.5
Guests: Redhat 5.5 on host-only network

Trying to forward port 2200 to 192.168.56.101:22

iptables -A PREROUTING -i eth0 -t nat -p tcp --dport 2200 -j DNAT --to 192.168.56.101:22
iptables -A FORWARD -i eth0 -p tcp -m state --state NEW --dport 2200 -j ACCEPT

Thanks very much,

-Adam vonNieda

EDIT ** If there's a better way to do what I'm trying to do, please share, I'm not married to host-only networking. What I want to be able to do is have static IP's on my guests, but not bridged, and be able to port forward to them from the host.

Thanks! :)

Re: Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 22:48
by vbox4me2
Nope, won't work by design, use Bridge with a router VM and internal networking. You could try using a windows Bridge between hostonly and the Host local adapter, inside that interface you can route traffic. I've had that working once but never documented it since the issue I had was solved differently. But whats wrong with VBox NAT ?

Re: Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 22:54
by avonnieda
Hi there vbox4me2, thanks for the reply.

I've got no problem at all using NAT, other than it seems quite dependent on DHCP. I want to use static IP's on my guests and have communication between them. I did set one up with a static IP under NAT, and I was no longer able to ssh out from the guest, if I remember correctly. Is that not the case? Can I use NAT but still have static IP's and communicate with other guests?

In other words, I need to bring up a database guest and an app server guest which need to communicate with each other, and I want to be able to hit these services from a desktop. Bridged would be the best option, but I can't use IP's from our physical network, I need to have my own virtual network.

Thanks,

-Adam

Re: Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 23:11
by Sasquatch
The IP address you get with NAT is always the same, so don't worry about that. And if you change it from the one you would get from DHCP, then nothing will work on it.

What you forgot in your IPtables is that you forward NEW connections, but you do nothing with RELATED and ESTABLISHED. Forgetting that will get data towards the machine, but never out nor any related connection info after that (the third step of the three-way handshake and the actual connection).
To forward a port from the Host to the Guest with Host-Only, you just need these two entries:

Code: Select all

iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --sport 2200 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
That should do it.

Re: Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 23:25
by avonnieda

Code: Select all

iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Thanks for the reply Sasquatch. Only thing that seems to be missing there is what port we're trying to forward, in my case it's 2200.
2200 -> 22

Am I overlooking something?

Thanks!

Adam

Re: Port forward to host-only networked guests possible?

Posted: 21. Mar 2011, 23:48
by Sasquatch
Yeah, forgot that one part. I just copy/pasted the two lines from some other documentation I had and forgot to add the --sport 2200 in the first one.
Fixed the command in the post.

Re: Port forward to host-only networked guests possible?

Posted: 22. Mar 2011, 01:47
by avonnieda
Thanks again Sasquatch, appreciate the help. I still can't get this damned thing to work though. Here's a log of my activity. If you have any other ideas I'm all ears :)

Following is ifconfig output for my interfaces, the iptables commands, and then I try to ssh to the host via port 2200 and get a connection refused. Next I ssh to the guest just to show that it is listening and reachable.

Code: Select all

[root@virtualbox vbox]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:1C:23:C8:29:7D  
          inet addr:156.9.122.219  Bcast:156.9.122.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1649701 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157641 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:127353378 (121.4 MiB)  TX bytes:141296915 (134.7 MiB)
          Interrupt:169 Memory:f8000000-f8012800 

[root@virtualbox vbox]# ifconfig vboxnet0
vboxnet0  Link encap:Ethernet  HWaddr 0A:00:27:00:00:00  
          inet addr:192.168.56.1  Bcast:192.168.56.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:90 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 b)  TX bytes:19704 (19.2 KiB)

[root@virtualbox vbox]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination  
       
[root@virtualbox vbox]# iptables -A FORWARD -i eth0 -d 192.168.56.101 -p tcp --sport 2200 --dport 22 -j ACCEPT
[root@virtualbox vbox]# iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@virtualbox vbox]# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             192.168.56.101      tcp spt:ssh-2200 dpt:ssh-22 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination    
     
[root@virtualbox vbox]# ssh -p 2200 156.9.122.219
ssh: connect to host 156.9.122.219 port 2200: Connection refused

[root@virtualbox vbox]# ssh 192.168.56.101
root@192.168.56.101's password: 
Last login: Mon Mar 21 16:37:31 2011
[root@obiee11 ~]# 


Re: Port forward to host-only networked guests possible?

Posted: 22. Mar 2011, 01:53
by Sasquatch
Get cracking with Google and iptables manuals. See what tcpdump shows you when you try to connect to port 2200 and debug your rules with that. IPtables isn't something we usually discuss here, it's outside the scope of this forum. Perhaps a more specialized forum can help you to find the answer.

Oh, wait a second. Did you enable IPv4 forwarding in /etc/sysctl.conf? You have to do that too, else nothing can get forwarded. To do it at run time, so you don't have to reboot, do this:

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

Re: Port forward to host-only networked guests possible?

Posted: 22. Mar 2011, 01:56
by avonnieda
Yep, I did do that. Thanks again for the help, I'll hit the books again. Just seemed like it's something that people would want to do quite commonly, I guess not.

Best regards,

-Adam

Re: Port forward to host-only networked guests possible?

Posted: 22. Mar 2011, 22:23
by Sasquatch
Yeah, I've been thinking about it and I think you need to change the rules a bit so it does NAT properly. Now you just forward data to a certain IP, but there is no way back or something. There is more than meets the eye.

Re: Port forward to host-only networked guests possible?

Posted: 1. Aug 2011, 16:59
by timefortea
Hi there,
Did you have any luck with getting this working? I also want to do the same thing - I need a few Linux-based VMs to run within a virtual subnet as they need to talk to each other. I don't want to use real IPs from the physical network and I have to be able to port forward ssh to get access to the VMs. Port Forwarding is working fine when I use NAT but this isn't an option when using Internal Networking.

(I use Windows 7 as the host OS)

Thanks.

Chris.

Re: Port forward to host-only networked guests possible?

Posted: 1. Aug 2011, 17:17
by avonnieda
Hi Chris,

No, I never did. I've since moved my VM's onto a different virtualization platform for other reasons, best of luck with it.

-Adam

Re: Port forward to host-only networked guests possible?

Posted: 2. Aug 2011, 22:53
by tehknowledge
Those iptables rules allows the 'routing' of the port. But does not do NAT. If you do not want NAT, you have to add a route to the source PC in order to use the virtualbox host for a gateway to the host-only network. However, it might now be able to get back to the client in the 'real world'. Use the iptables NAT rules like:

My host iptables (CentOS)

Code: Select all

*nat
:PREROUTING ACCEPT [3:792]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
# Port 2200
-A PREROUTING -d 156.9.122.219 -p tcp -m tcp --dport 2200 -j DNAT --to-destination 192.168.56.101
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [1961:200666]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
# Forward Rules
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state NEW -m tcp -p tcp -d 156.9.122.219 --dport 2200 -j ACCEPT
COMMIT