Host-only networking and server virtualization
Posted: 9. Jun 2012, 17:42
Dear colleagues,
I am trying to implement the following network scenario, in which a single physical machine (PC), running Ubuntu 12.04 x64, with the IP address of 192.168.1.3 hosts a number of vitalized servers (each running some version of Ubuntu), providing various types of services (email, video streaming, ftp, web etc.). Some servers operate in load balancing mode i.e. service request may be sent to different server depending on the network load. The part of virtualization part is implemented using a series of VM guests running on a VBox 4.1.12 (did not feel like upgrading it yet).
Here is the target network scenario that I am trying to achieve
The Host-Only network interface is configured to IP address of 10.10.10.1, with the Host-Only DHCP configured at 10.10.10.2. Individual servers get their IPs in the range of 10.10.10.10 through 10.10.10.30 (there are in total 20 VM guests running at any time, I show above just three examples).
Now, with that network setup in mind, what I am trying to do is hide away the complexity of having multiple servers with multiple IP addresses and make them accessible via the PC on which VMs are running i.e. under the IP address of 192.168.1.3. The way I hope it can be made to work is that a request for an http towards 192.168.1.3 (on port 80) can be redirected to e.g. 10.10.10.10:80 to allow the server running at that IP provide web service. For ftp, the request might be redirected to 10.10.10.20:21 (for example) to provide service and so forth.
The problem that I came across is that in Host-Only network mode configured on VBox, I do not seem to be able to forward frames between the physical interface (eth1) on 192.168.1.3 connected to 192.168.1.0/24 network and the vboxnet0 interface (which seems to be a software loopback only interface configured by the VBox platform). What I would like to confirm first and foremost whether anybody tried and managed successfully to forward frames between the physical interface on the machine (be that eth* or wlan* or ppp* type) and the software interface vboxnet* using iptables in Linux. Using even very simple rules in iptables configured on PC running with IP 192.168.1.3 I did not manage to see internet connectivity on any VM. Here are examples for iptables:
# iptables -t filter -A FORWARD -i eth1 -j ACCEPT
# iptables -t filter -A FORWARD -i vboxnet0 -j ACCEPT
# iptables -P FORWARD DROP
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
which generally relay everything from eth1 interface according to the routing enabled and configured on the machine, forwarding all traffic coming in on eth1 and vboxnet0 interfaces, preventing the machine running at 192.168.1.3 from receiving anything to internal processes, sending anything out from internal processes.
If I try similar iptables rules on eth0 and eth1 interfaces (both physical), I have successful forwarding traffic between both interfaces (tested with machine with two NICs). Seems that the software vboxnet0 interface does not allow traffic forwarding and operates in the local loopback mode only.
Can someone shed some light on this problem? Is there any way I could implement the target network architecture without exposing IP addresses of individual servers to outside network 192.168.1.0/24 ?
Any suggestions and help would be most welcome
Marek
I am trying to implement the following network scenario, in which a single physical machine (PC), running Ubuntu 12.04 x64, with the IP address of 192.168.1.3 hosts a number of vitalized servers (each running some version of Ubuntu), providing various types of services (email, video streaming, ftp, web etc.). Some servers operate in load balancing mode i.e. service request may be sent to different server depending on the network load. The part of virtualization part is implemented using a series of VM guests running on a VBox 4.1.12 (did not feel like upgrading it yet).
Here is the target network scenario that I am trying to achieve
The Host-Only network interface is configured to IP address of 10.10.10.1, with the Host-Only DHCP configured at 10.10.10.2. Individual servers get their IPs in the range of 10.10.10.10 through 10.10.10.30 (there are in total 20 VM guests running at any time, I show above just three examples).
Now, with that network setup in mind, what I am trying to do is hide away the complexity of having multiple servers with multiple IP addresses and make them accessible via the PC on which VMs are running i.e. under the IP address of 192.168.1.3. The way I hope it can be made to work is that a request for an http towards 192.168.1.3 (on port 80) can be redirected to e.g. 10.10.10.10:80 to allow the server running at that IP provide web service. For ftp, the request might be redirected to 10.10.10.20:21 (for example) to provide service and so forth.
The problem that I came across is that in Host-Only network mode configured on VBox, I do not seem to be able to forward frames between the physical interface (eth1) on 192.168.1.3 connected to 192.168.1.0/24 network and the vboxnet0 interface (which seems to be a software loopback only interface configured by the VBox platform). What I would like to confirm first and foremost whether anybody tried and managed successfully to forward frames between the physical interface on the machine (be that eth* or wlan* or ppp* type) and the software interface vboxnet* using iptables in Linux. Using even very simple rules in iptables configured on PC running with IP 192.168.1.3 I did not manage to see internet connectivity on any VM. Here are examples for iptables:
# iptables -t filter -A FORWARD -i eth1 -j ACCEPT
# iptables -t filter -A FORWARD -i vboxnet0 -j ACCEPT
# iptables -P FORWARD DROP
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
which generally relay everything from eth1 interface according to the routing enabled and configured on the machine, forwarding all traffic coming in on eth1 and vboxnet0 interfaces, preventing the machine running at 192.168.1.3 from receiving anything to internal processes, sending anything out from internal processes.
If I try similar iptables rules on eth0 and eth1 interfaces (both physical), I have successful forwarding traffic between both interfaces (tested with machine with two NICs). Seems that the software vboxnet0 interface does not allow traffic forwarding and operates in the local loopback mode only.
Can someone shed some light on this problem? Is there any way I could implement the target network architecture without exposing IP addresses of individual servers to outside network 192.168.1.0/24 ?
Any suggestions and help would be most welcome
Marek