Iptables packet redirection issue with host-only networking

[crahan]

Hi,

I'm trying to confirm an issue I'm experiencing with a host-only (vboxnet0) networking setup. This particular setup is required for a malware analysis tool which automatically configures iptables on the host to allow either VM traffic to go out to the internet or be fully redirected from one VM to another (by rewriting packets) depending on what type of network access the user would like to use as part of the malware analysis.

However, the redirect option appears to be causing issues with host-only networking. tcpdump on the Ubuntu host shows that packets are in fact being rewritten with the selected VM as the new destination. But these rewritten packets never arrive at that VM. I've tried to simplify the setup for debugging purposes by only redirecting DNS requests, normally sent by the Windows VM to 8.8.8.8, to 192.168.56.10 instead.

Setup details are as follows:

• - Ubuntu 16.04 LTS host running virtualbox (version 5.2.6 r120293) with vboxnet0 NIC (192.168.56.1)
  - WinXP VM with host-only networking configured (192.168.56.101, default DNS configured as 8.8.8.8 )
  - Linux VM with host-only networking configured and running fake inetsim DNS service (192.168.56.10)

All hosts can ping eachother. I can run 'nslookup google.com 192.168.56.10' on both the Ubuntu host and Windows VM and get a response from the Linux VM running the fake inetsim DNS service.

IP forwarding is enabled on the Ubuntu host and the following iptables rules are added on the host in order to redirect any DNS requests to the Linux VM (192.168.56.10):

Code: Select all

iptables -t nat -A PREROUTING -p tcp --dport 53 --source 192.168.56.101 -j DNAT --to-destination 192.168.56.10:53
iptables -t nat -A PREROUTING -p udp --dport 53 --source 192.168.56.101 -j DNAT --to-destination 192.168.56.10:53
iptables -A FORWARD -i vboxnet0 -o vboxnet0 --source 192.168.56.101 -j ACCEPT
iptables -A FORWARD -i vboxnet0 -o vboxnet0 --destination 192.168.56.101 -j ACCEPT

I run a tcpdump on both the Ubuntu host ('tcpdump -nn -i vboxnet0 port 53') and the Linux VM ('tcpdump -nn -i eth0 port 53') and run 'nslookup google.com' on the Windows VM. As expected tcpdump on the Ubuntu host (capturing on vboxnet0) picks up the original DNS request from 192.168.56.101 to 8.8.8.8 and also shows the redirected request from 192.168.56.101 to the Linux VM (192.168.56.10).

Code: Select all

root@cuckoo:/home/cuckoo# tcpdump -nn -i vboxnet0 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:53:31.795652 IP 192.168.56.101.1080 > 8.8.8.8.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
11:53:31.795709 IP 192.168.56.101.1080 > 192.168.56.10.53: 1+ PTR? 8.8.8.8.in-addr.arpa. (38)
11:53:33.811505 IP 192.168.56.101.1081 > 8.8.8.8.53: 2+ A? google.com. (28)
11:53:33.811592 IP 192.168.56.101.1081 > 192.168.56.10.53: 2+ A? google.com. (28)
11:53:35.814645 IP 192.168.56.101.1082 > 8.8.8.8.53: 3+ A? google.com. (28)
11:53:35.814743 IP 192.168.56.101.1082 > 192.168.56.10.53: 3+ A? google.com. (28)

The tcpdump session on the Ubuntu host shows that iptables is rewriting the DNS requests since we see each DNS request from 192.168.56.101 to 8.8.8.8 duplicated to 192.168.56.10 (the Linux VM). Unfortunately, the redirected DNS requests to 192.168.56.10 never arrive at the Linux VM network interface. The tcpdump capture running on the Linux VM (192.168.56.10) doesn't see any of the redirected DNS requests.

The submitter of a similar issue posted at https://serverfault.com/questions/66463 ... ostrouting mentions "the problem was in the way VirtualBox emulates the interface and/or network stack, so no amount of flailing on iptables was helping." but does not provide any specific details. So I'm hoping someone from the VirtualBox community might be able to shed some light on this issue and confirm that what I'm trying to accomplish is not possible with host-only networking.

Update: When I set the network card in the Linux VM to promiscuous mode it only captures the original DNS requests from the Windows XP VM to 8.8.8.8 and still not the redirected packets. Please ignore the timestamp differences in the screenshots as the Ubuntu host and Linux VM are configured with a different timezone.

Ubuntu host tcpdump (original DNS requests + redirected requests):

Ubuntu host.png (53.05 KiB) Viewed 4771 times

Linux VM tcpdump (promiscuous mode lets us capture the original DNS request leaving the Windows XP VM. But even now we're not able to capture the redirected requests):

Linux VM.png (33.82 KiB) Viewed 4771 times

[Perryg]

VirtualBox host-only was not designed to work this way. No gateway. So if you are using some other instructions to make it work beyond the scope it was designed to do you would need to seek their instructions. I would consider using the internal network adapter with a virtual router ( pFsense ) to forward your packets to the Internet.

[crahan]

Thank you for your reply Perryg.

I'm not really trying to get out to the internet (which actually works well with the right iptables configuration on the host, but that's outside of the scope of my issue really).

If I understand correctly, the host-only network setup allows for VM-to-VM, VM-to-Host, and Host-to-VM communications (traffic contained between the host and any VMs on the same host-only network). What I'm trying to accomplish is to take traffic that originates from a host-only VM and goes to the Host and redirect that traffic to another host-only VM within the same host-only network. None of the packets in this scenario are supposed to leave the host-only network.

If this type of redirection is also outside of the scope of what host-only supports then I'll need to find another solution

Thanks!

Thomas

[Perryg]

Question, did you enable a gateway in the guest/s?

[Martin]

What I'm trying to accomplish is to take traffic that originates from a host-only VM and goes to the Host and redirect that traffic to another host-only VM within the same host-only network. None of the packets in this scenario are supposed to leave the host-only network.

When you stay within the same host-only network that should work directly without any necessary "redirection".
The VMs in the should behave like being connected to the same switch. If you have connection problems between them it is most probably something inside your guests like a Windows firewall.

[crahan]

Question, did you enable a gateway in the guest/s?

Yes, the host vboxnet0 IP is set up as the gateway on the guest (so 192.168.56.1 in this specific case).

[Perryg]

Since host-only does not support a gateway ( which is needed only for the Internet ) then that will cause the guest to look for something that does not exist. It would be better if it had no gateway defined.

[Martin]

The gateway should not be relevant, because it is not used as long as your addresses are in the same subnet on a local interface.

[crahan]

When you stay within the same host-only network that should work directly without any necessary "redirection".
The VMs in the should behave like being connected to the same switch. If you have connection problems between them it is most probably something inside your guests like a Windows firewall.

Hi Martin,

You are 100% correct that there's no need for redirection if I want to directly communicate between guest VMs on the host-only network. The reason I'm using this particular setup (and I'm trying to debug this packet redirection problem) is due to a malware analysis tool I'm using. The idea is that the tool allows you to deploy a malicious file to a Windows guest VMs for analysis. As part of this analysis process you can also select the type of network access this Windows analysis VM will have for the duration of the malware's execution (e.g. no access, internet access, or all traffic redirected to another virtual machine on the host-only network).

This network selection is implemented as iptables rules which are configured on the host before the analysis is kicked off. The iptables rules that enable internet access from the guest VM or that drop the traffic work fine. The issue appears to be with the iptables rules which configure the traffic from the analysis VM to be redirected to another VM on the same host-only network. The reason it doesn't go from the analysis VM to the other VM directly is because the tool doesn't modify the network settings on the analysis VM Windows OS. It just captures the packets with iptables rules on the host and then redirects them towards the other VM.

I've already confirmed that the tool works as intended and packets coming in on the host (192.168.56.1) and originating from the analysis VM (192.168.56.101) are being redirect towards the other VM (192.168.56.10). A tcpdump capture and the iptables logs on the host have already confirmed this. However, these redirected packets with destination 192.168.56.10 never arrive on the network interface of the destination VM (a tcpdump on 192.168.56.10 doesn't capture these packets).

[crahan]

Since host-only does not support a gateway ( which is needed only for the Internet ) then that will cause the guest to look for something that does not exist. It would be better if it had no gateway defined.

I actually need the VM to send its network traffic to the host (192.168.56.1) so the iptables rules defined there can redirect them to the correct destination. I know this probably sounds like a weird setup, but sending the traffic to the host is what allows these different sets of iptables rules to work as intended. The flow needs to be from 192.168.56.101 (VM) to 192.168.56.1 (host) where it (depending on what set of iptables rules I have configured) does either of the following:

• - drop the packets (works)
  - forward the traffic to the internet (also works)
  - redirect the traffic to another VM on the host-only network (which is causing issues)

I hope I was able to clarify the situation a little bit. Like I said, this is not a typical setup and if I only needed to communicate between host-only VMs I could indeed to that directly.

[crahan]

If I need to compress my question/problem down I think it comes down to the following:

Given that a tcpdump packet capture taken on the host (on network interface vboxnet0) shows the following packets:
11:53:33.811505 IP 192.168.56.101.1081 > 8.8.8.8.53: 2+ A? google.com. (28)
11:53:33.811592 IP 192.168.56.101.1081 > 192.168.56.10.53: 2+ A? google.com. (28)
11:53:35.814645 IP 192.168.56.101.1082 > 8.8.8.8.53: 3+ A? google.com. (28)
11:53:35.814743 IP 192.168.56.101.1082 > 192.168.56.10.53: 3+ A? google.com. (28)

How come the 2 iptables redirected packets with destination IP 192.168.56.10 port 53 never arrive on the host-only network interface of the VM with IP address 192.168.56.10 (as verified by running a second tcpdump capture on the destination VM itself)?

(My apologies if my explanation thus far was a little confusing. It's not the easiest of problems to explain I guess )

[Perryg]

As I said the gateway added to the guest/s will cause a lot of your problems since it is not available. Host-only resembles a loop-back more than anything else. Can it be made to work in other ways? Probably but the configuration is outside the scope here since that is not what the original design is for. If I were trying to do this I would fist remove any gateway configurations from the guest and let the host do the redirection to the guest/s.

[crahan]

I appreciate the help. One final question though. If I want the host to do any redirection (which it is currently configured to do so using iptables rules) then I first need to get the packets from the VM to the host. Which is why I have the host IP configured as the VM's gateway. Without the host IP as the gateway, how would packets be forwarded to the host?

But, I agree that this probably is outside of the intended usage/scope of the host-only network functionality in VirtualBox. My hunt for a different solution continues!

Thanks again to everyone who took the time to reply.

[Perryg]

Without the host IP as the gateway, how would packets be forwarded to the host?

See that is the problem. 192.168.56.1 is not the hosts IP address it is the host-only address and that part does not work as a router/gateway.

[crahan]

Thanks! That does clarify things. Much appreciated Perryg.