Bridged like virtual network controled by host firewall?

[abcuser]

Hi,
I have the following requirements:
(1) Guest must have access to the internet (e.g. using browser).
(2) Guest must be accessed from internet.
(3) Guest must have it's own static IP address (it should not be the same as host's static IP).
(4) Network traffic between guest and host must be controlled by host firewall.

If only (1) was required, I could use NAT.
If only (1) and (2) were required, I could use NAT with port forwarding.
If only (1), (2) and (3) were required then I could use Bridged Adapter.

According to theory:
NAT: does not support static IP address (exception is port forwarding, but in this case guest and host have the same IP - not acceptable in my case).
Internal Network: guests can see each other - not suitable in my case
Host-only Adapter: guest can see other guests and host, host can access guests, guest can't be accessed from internet
Bridged Adapter: it uses virtual network host driver that bypasses host firewall.

Is there a way to configure 'bridged like' connection between guest and host and have a host firewall control what network traffic gets into each of the virtual machines?

P.S. Looking to my 5 years old documentation this was ones done using network bridges and using VBoxAddIF, but this command does not exists anymore, because VirtualBox virtual network was completely rewritten few versions back.

My system:
- host: Ubuntu 8.04
- guest (multiple guests): Windows XP
- VirtualBox 4.2.16

[mpack]

Is there a way to configure 'bridged like' connection between guest and host and have a host firewall control what network traffic gets into each of the virtual machines.

Basically, no. If you use "bridged" then the VM is considered a separate PC on the same network, and will need to take its own precautions regarding firewalls etc - just like every other PC on the network.

[noteirak]

Actually all your requirements can only be adressed by using Host-Only with several interfaces, given that you configure the host properly.
Since networking configuration is way out of scope of this forum, I can give you some high level points of what you'll need :
- IP Routing enabled in host
- iptables configured properly
- NATing enable on the public interface of the host (iptables & MASQUERADE)

The only tricky requirement of yours is (3), but that's just a matter of blocking all the traffic at the INPUT level but having a PREROUTING rule pointing to the appropriate guest.
All the rest is very standart networking & firewalling implementation.

[abcuser]

Hi,
first of all thanks a lot for tips, very usefull.

I have manage to configer virtual machine using host-only interface to access corporate network (also internet) and to be accessed from corporate network. Currently I have managed to configure one IP address on host to be specific to access specific virtual machine (this is OK), but virtual machine is having its own IP address (from internal host-only network).

Is it possible to configure to have the _same_ IP address on host for this specific virtual machine and have the _same_ IP address in virtual machine, so it would look like both (host and virtual machine) are in the same network (just like if using bridged interface)? I am not a network specialist, I tried by have fallen into reroute the _same_ IP to the _same_ IP trap.

P.S. Bellow is my working sample configured to have one specific IP at host to access one specific IP in virtual machine.
Regards



Host: Ubuntu 8.04
Guest: Windows XP

============================================
I. HOST SETTINGS
============================================
1. I have only one physical network card, but have set two network interfaces (to have two IPs accepted on host computer).
With text editor edit file: vi /etc/network/interfaces

Code: Select all

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
	address 192.168.5.35		# host ip address as seen from corporate network
	netmask 255.255.255.0
	network 192.168.5.0
	broadcast 192.168.5.255
	gateway 192.168.5.1
	dns-nameservers 192.168.2.3     # corporate DNS server
	pre-up iptables-restore < /etc/iptables.rules
	pre-down iptables-restore < /etc/iptables.rules

# Add bellow code to the existing file
auto eth0:0
iface eth0:0 inet static
        address 192.168.5.74            # guest IP set on host as seen from corporate network
        netmask 255.255.255.0
        broadcast 192.168.5.255
        network 192.168.5.0

2. Enable IP forwarding
With text editor edit file /etc/sysctl.conf
Search for setting:

Code: Select all

net.ipv4.conf.default.forwarding=0

and change 0 to 1:

Code: Select all

net.ipv4.conf.default.forwarding=1

Execute command to get above settings accepted:

Code: Select all

sysctl -p

3. Reboot

Code: Select all

reboot

Note, probably enough just restarting network: /etc/init.d/networking - I just make sure network is working fine after reboot.

4. VirtualBox GUI settings
File | Preferences | Network | add default host-only interace 192.168.56.1
On Windows virtual machine: Settings | Network | attached to: Host-only-interface; name: vboxnet0

5. Host firewall settings

Code: Select all

# TCP trafic from corporate network to 192.168.5.74 rerouted to guest 192.168.56.101
sudo iptables -t nat -A PREROUTING -p tcp -d 192.168.5.74 -j DNAT --to-destination 192.168.56.101
# Reroute access from virtual machine to corporte DNS server 192.168.2.3
sudo iptables -t nat -A PREROUTING -p udp -d 192.168.5.35 --dport 53 -j DNAT --to-destination 192.168.2.3
sudo iptables -t nat -A POSTROUTING -p tcp -j MASQUERADE

# Reroute traffic from virtual machine to corporate network
sudo iptables -A FORWARD -o eth0 -i vboxnet0  -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE

============================================
II. INSIDE VIRTUAL MACHINE SETTINGS:
============================================
6. Run virtual machine Windows XP from VirtualBox GUI.

7. Start | Settings | Network Connection | right click on "Local Area Connection" and Properties; Internet Protocol settings set in a way that ipconfig -all cmd command returns the following:

Code: Select all

IP Address. . . . . . . . . . . . : 192.168.56.101     # new guest IP address
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.56.1       # host vboxnet0 IP address
DNS Servers . . . . . . . . . . . : 192.168.5.35

============================================
III. TEST
============================================
8. In virtual machine launch web browser and enter URL addresses:
a) some_internal_corporate_web_page.corporate_web_server.com: TEST PASSED
b) some_internet_web_page.e_g_google.com_server.com: TEST PASSED

9. Remote access from my laptop (the same network as host computer) to virtual machine: TEST PASSED
Note: In Remote Desktop client I entered IP address: 192.168.5.74 and was rerouted to 192.168.56.101 on VirtualBox host.
Note: Made sure Windows firewall is disabled.

[noteirak]

Is it possible to configure to have the _same_ IP address on host for this specific virtual machine and have the _same_ IP address in virtual machine, so it would look like both (host and virtual machine) are in the same network (just like if using bridged interface)? I am not a network specialist, I tried by have fallen into reroute the _same_ IP to the _same_ IP trap.

From the config you're showing, that's already what you're doing, or do you mean only one IP, and the traffic is re-routed either to the host or to the VM, depending on configuration?

[abcuser]

From the config you're showing, that's already what you're doing, or do you mean only one IP, and the traffic is re-routed either to the host or to the VM, depending on configuration?

Only one IP, and the traffic is re-routed either to the host or to the VM

[noteirak]

Then don't add another IP to your host, keep only one, keep the NATing and simply forward whatever ports (instead of the full traffic for the given IP) you want the VM to listen on. For the rest, it's automatic.

[abcuser]

Hi,
I was not clear enough...

Now I have setup host-only interface (with NATing):
Host_eth0 192.168.5.35
Host_eth0:0 192.168.5.75
VirtualBox host-only interface 'vboxnet0' 192.168.56.1
Guest 192.168.56.101
Then reroute using iptables PREROUTE 192.168.5.75 to 192.168.56.101.

But I would like to have host-only interface to look like 'bridged'
Host_eth0 192.168.5.35
Guest 192.168.5.75
So no other IP addressess.

About 5 years ago in VirtualBox 2.0.x I have done this settings as follows:

Code: Select all

sudo apt-get install bridge-utils    # install software on Ubuntu host
sudo brctl addbr br0                 # create network bridge
sudo VBoxAddIF vbox0 <username> br0  # create vbox0 interface and connect it with bridge
sudo vi /etc/network/interfaces      # change network settings (bellow are settings)
--------------
auto lo
iface lo inet loopback

auto br0
iface br0 inet static
     address 192.168.5.35         # Host IP
     netmask 255.255.255.0
     gateway 192.168.5.1
     dns-nameserver 192.168.2.3   # corporate DNS server
     bridge_ports eth0 vbox0    # two interfaces eth0 and vbox0!!!

iface eth0 inet manual
--------------
Then start-up Windows guest and set static IP address. Done.

Can I configure VirtualBox to have only two IP addressess (host and guest) and that both are on the same network 192.168.5.x?
Thanks

[noteirak]

If you only want it to look proper from the ouside, give both IP to your host, and redirect all traffic of one to the guest.

If you also want the guest to be aware of the IP, maybe you could setup a loopback in the guest, but I am not sure how it would look like... that's some kind of advanced and nasty configuration there.

[abcuser]

1. I have also tried the following: http://xrunhprof.wordpress.com/2009/01/ ... albox-21x/
executing each of the command from terminal and no problem.
2. Rebooting, no problem.
3. Created host-interface with 192.168.56.1
4. Stated Windows guest and setup static IP 192.168.5.75 and gateway pointed to 192.168.56.1.
5. Tested with browser and no connection.
Any idea how to proceed?

[noteirak]

The gateway must be in the same range as the network you're into, which is not the case here, you're way outside. That's the point of the gateway : something to send traffic to when you need to go somewhere else than what is known. So it must be within a directly attached network.

You did not answer my previous question, which use case are you trying to achieve here :
1. The guest is aware of the LAN IP, and actively use it
2. The guest doesn't require the IP, only the "outside" does

Number 1 is quite specific and will be difficult to achieve. Definitly something not in scope of this forum.
Number 2 is basic NAT + iptables rules.

[abcuser]

You did not answer my previous question

I posted a reply and after testing some more I have added additional post. You responded in the "between", so I have missed your post. Sorry...

If you only want it to look proper from the outside, give both IP to your host, and redirect all traffic of one to the guest.

I did this as posted on "Mon Aug 12, 2013 2:55 pm". This was my first test to really understand the basics.

If you also want the guest to be aware of the IP, maybe you could setup a loopback in the guest, but I am not sure how it would look like... that's some kind of advanced and nasty configuration there.

I agree, and I am not a network administrator, so trying to solve the problem by copy-cat it from internet search.

The gateway must be in the same range as the network you're into, which is not the case here, you're way outside. That's the point of the gateway : something to send traffic to when you need to go somewhere else than what is known. So it must be within a directly attached network.

I tried this. I left host settings untuched. Changed host-only interface to 192.168.5.2 and changed host iptables NATing to point to this address instead of 192.168.56.1, started virtual machine, set (ipconfig -all):

Code: Select all

IP Address. . . . . . . . . . . . : 192.168.5.75     # new guest IP address (the same as on host eth0:0)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.5.2       # new guest IP
DNS Servers . . . . . . . . . . . : 192.168.5.35

Then I tried to ping 192.168.5.75 and ping successful. Tried ping 192.168.5.2 and no ping response. Maybe I have done some stupid thing that for network administrator would be obvious that is wrong.

1. The guest is aware of the LAN IP, and actively use it
2. The guest doesn't require the IP, only the "outside" does

Number 1 is quite specific and will be difficult to achieve. Definitly something not in scope of this forum.
Number 2 is basic NAT + iptables rules.

I did Number 2 as posted in "Mon Aug 12, 2013 2:55 pm", but that was just a test to see if I can make some progress. The Number 1 is actually what I would like to accomplish. You know EVERYTHING from IP point of view should be just like 'bridged network' (guest is aware of its IP and the LANs IP and host IP) - it should look like the quest and host are on the same network.

Maybe I am asking to much and obviously VirtualBox rewrite happening post-virtual-box-2.0 has significantly changed and this is no easy task to do (specially for me non-network admin).

P.S. I just thought this is very very very common think VirtualBox users are trying to do to have a complete firewall control of guest network floating in from corporate network and going out of it. Bridged network on the other site is perfect for very simple administration, but at lost of central firewall control. So in bridged network every guest should have it's own firewall which is quite difficult to control specially if there are Windows and Linux guest itch having its own firewall...

[noteirak]

I am afraid that what you're trying to achieve is both very advanced stuff and not in scope of this forum. This requires very advanced networking skills and I am afraid simply copy-cat business will not work.

Your use case is actually not common at all - even with real hardware, you would need some advanced firewall to perform this task, given that you want the guest to be aware of its LAN IP but without giving it direct connectivity.
It is also against how IP networking has been designed.

Now, to give you leads, without any guarantee it will work, here is what you should aim for :
Your host should have 2 IPs configured on its LAN NIC : its own (192.168.5.35), plus your VM IP (192.168.5.75)
Your host should have the host-only interface configured with the default IP (192.168.56.1), and the built-in DHCP server of Virtualbox disabled
Your guest should have ths host-only interface configured with an IP in the same subnet (192.168.56.2) with gateway set to Host Host-Only (192.168.56.1) and same DNS as host (or try Google DNS : 8.8.8.
Your guest should have a loopback interface configured with the LAN guest IP (192.168.5.75) and a /32 netmask (or 255.255.255.255)

Routing wize, in the host, you must configured iptables with a PREROUTING rule to send all 192.168.5.75 traffic to the host-only interface and any traffic coming from the host-only interface to your LAN IP, for any packet coming from the 192.168.5.75 IP.
IP routing must be enabled and finally, you might need to relax the path validation or packets might be discarded since they don't come in & out from the same interface.