[Solved] How to portforward NAT?

[jigglywiggly]

Ok so I was running bridged mode but this VM has public access a bit, and I don't trust everyone. So I wanted it to run in a virtual ip, so I picked NAT. So then a sniffer or some crazy thing won't happen. Problem is, how do you port forward with NAT? I tired port forwarding the server which has an ip of 192.168.1.118, then the virtualbox VM runs in an ip of 10.0.2.15 How would I portforward that? Or is there another type of option that would suit my needs?

[baf]

From the manual 6.4.1
"Linux Guest" is your vmname
guestssh is a tag chage for each set of forwardings
pcnet is the network card type change to e1000 if using intel
#0 cardnumber of this type

VBoxManage setextradata "Linux Guest"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol" TCP
VBoxManage setextradata "Linux Guest"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort" 22
VBoxManage setextradata "Linux Guest"
"VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort" 2222

[jigglywiggly]

I'm using Win 2k8 r2 as host and win 7 desktop as the VM, not a debian distro, I think i made a mistake on my profile.

[Sasquatch]

That doesn't matter, the command is still the same. You only need to open a command prompt, change directory to the install folder of VB so you can execute vboxmanage.exe and you're done. Baf only gave an example. Change the command as you see fit. Note that the first line continues on the second line, the third on the fourth etc.

And update your profile again. I've never heard of a Debian version of VB run on Windows .

[jigglywiggly]

That doesn't matter, the command is still the same. You only need to open a command prompt, change directory to the install folder of VB so you can execute vboxmanage.exe and you're done. Baf only gave an example. Change the command as you see fit. Note that the first line continues on the second line, the third on the fourth etc.

And update your profile again. I've never heard of a Debian version of VB run on Windows .

What if I wanted a range of ports?

[Sasquatch]

Then you need the command for each port in the range. There currently isn't a way to forward a range of ports with one command. This is already in the suggestions forum. So far, no reply from a dev, but maybe they are already working on it.
If it's a large amount of ports, I suggest you use Bridged instead. You already used that, but you were afraid of sniffers and other kind of attacks. You will still have them, but not directed at the VM, but the Host directly. That can be an even worse situation. There is nothing a good firewall can protect you against. And of course the proper configuration of the OS and software.

[jigglywiggly]

So is there any benefit to running in its own subnet? I thought it would be a good idea because: It could not see the other lan computers but be able to access the Internet. But your saying you could then target the host OS, but couldn't you do that anyway if it was in bridged mode? I mean cain and abel is just a downright powerful tool, and it's so easy to use. It can also crack windows passwords which is what I'm most afraid of, there is a lot of valuable information on my network. I am tempted to just run it in bridged mode and cut off remote access...

[Sasquatch]

You run Windows, of course it's somewhat "dangerous". But if "they" detect that behind certain ports is a VM, then they will attach through there, bringing down the Guest and likely also the Host. With bridged, your Host will stay up, because it's not attacked directly or indirectly.

I advise you to read up on some security measures, I'm at my limit now too. Take a close look on some scenarios and other means of getting into a system and decide on your own what the best course of action is.

[abu]

You run Windows, of course it's somewhat "dangerous". But if "they" detect that behind certain ports is a VM, then they will attach through there, bringing down the Guest and likely also the Host. With bridged, your Host will stay up, because it's not attacked directly or indirectly.

Why is it more protected than with NAT? Does that phrase mean that in bridged mode, the host shows 2 different public IPs to the outside world? (one for the host, a different one for the guest).
Sorry I don't understand at all the differences between the different VB networking options. Do you know of any tutorials with graphical VB networking diagrams or examples out there?

[Sasquatch]

When you use bridged, your VM will look like a separate physical machine on the network. There is no connection directly to the Host in that matter. Attack the Guest, the Host won't budge because the data is send to the VM instead. You will only see higher CPU usage on the Host, because the Guest is trying to deal with the attack.
Now if you use NAT, the attack goes to the Host first, which then needs to send the attacking data to the Guest. This causes higher load on both, the Host handling the forwarding, the Guest handling the attack. Eventually, either one will fail or both.

More protected depends on what you want to protect. The host or the Guest? If it's the Guest, then yes, it's possibly safer with NAT. If you want to protect the Host, then no, for outside influences it's not any safer. I already said that I'm at my limit, I don't know much about security, especially the way you want to use it.

[abu]

When you use bridged, your VM will look like a separate physical machine on the network.

Thanks but I still don't understand the concept behind bridged mode: in which sense will your VM "look like separate" of your host? Do you need to have a separate IP available from your network administrator, so that you can asign one IP to the VB and a different one to the host ... using the same physical NIC? It seems impossible to me, but I can't see how else they are separate.
Perhaps is the port address which makes the separation? (not needing to be forwarded from host to guest in bridged mode). Is that what you mean? Guest takes full control of certai ports that you assign to VM?

[Sasquatch]

A separate machine is just that. It gets it's own IP address on the network. It's like you have another physical machine next to your existing one, hooked to the network.

There is only one thing that can give you complications when using Bridged mode. When in a company, the network administrator usually sets the switches to allow only one MAC address (that's the physical address of the NIC) per port. If it detects more than one, it will shut down the port for a while. If this is the case, then you have little luck if you have only one NIC in your PC.

I know this is a forum where you can ask questions, but please, we do this in our own spare time and it gets rather annoying if we have to tell people things while they can easily find it in a book or some website like Wikipedia. Do some research, get familiar with the terminology that is used here and how things work.

[jigglywiggly]

Alright thanks for your suggestions, I just went back to bridged and killed off VNC access. I have now setup a very complicated way for them to upload files going through like 3 vms, either way I know it's secure