# Virtualbox NAT help

## lroy1978

Hi

I have installed gentoo on both my host and guest systems and I want to communicate between the two. Virtualbox is configured to use NAT networking.

I want to be able to place a firewall between the host and guest system, the firewall running on the host.

My guest allocates its IP address using DHCP, the the address is set to 10.0.2.15

The problem is that my hosts ethernet interface is set to use the address 192.168.1.21

In order to be able to access the guest's services (http ssh) from the host, I tried opening another interface on the host eth0:1 with the address 10.0.2.2

ifconfig

```

eth0      Link encap:Ethernet  HWaddr 00:1f:c6:4f:04:7b

          inet addr:192.168.1.21  Bcast:192.168.1.255  Mask:255.255.255.0

          inet6 addr: fe80::21f:c6ff:fe4f:47b/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:6495164 errors:0 dropped:32 overruns:0 frame:0

          TX packets:6626242 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:1000

          RX bytes:4855288713 (4.5 GiB)  TX bytes:3855772879 (3.5 GiB)

          Interrupt:18

eth0:1    Link encap:Ethernet  HWaddr 00:1f:c6:4f:04:7b

          inet addr:10.0.2.2  Bcast:10.255.255.255  Mask:255.0.0.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          Interrupt:18

lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          inet6 addr: ::1/128 Scope:Host

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:1099156 errors:0 dropped:0 overruns:0 frame:0

          TX packets:1099156 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:12065666487 (11.2 GiB)  TX bytes:12065666487 (11.2 GiB)

```

But I cannot communicate with the guest, I cannot even ping it. I think I'm missing something but I don't know what. Can anyone give me any help?

Thanks,

Lee

----------

## Veldrin

IIRC this is the way it should work.... a complete isolated guest.

If you want to communicate with the guest, use bridged, which will bind the guest interface to one of the hosts interfaces. But you need a spare IP address within the hosts network.

(an you ned a somewhat recent virtualbox with vboxnetflt module)

And I think that way, you can install a firewall on the host.

just my .02$

V.

----------

## lroy1978

Thanks for the info.

I want to be able to stop the guest machine accessing the internet directly, I want every internet request coming from it to pass through a firewall. If I bind the guest machine to my host's network so it will have its own address (192.168.1.22 for example), how can I firewall its access to the internet without using a separate PC acting as a firewall between my PC and the ADSL router.

My setup :

Host (192.168.1.21) --------  ADSL router ---- internet

Guest (192.168.1.22) ---|

Cheers,

Lee

----------

## Veldrin

I get your idea - but it is a bit out of my scope....

what you are looking for is some advanced firewall configuration: prerouting, redirection...

OTOH: a simple drop all rule, and then opening only those ports, that are need might also help. but you would need to configure the firewall for the host too.

cheers

V.

----------

## CurtE

Do you have two ethernet cards (eth0 & eth1)?  Is eth0 for local & eth1 for internet?

This sounds similar toi my situation.

How are you trying to access the guest (ssh) thru an outside computer or intranet?

----------

## Hu

There are many ways to grant a guest access to the network, each with varying levels of control and configurability.  For your purposes, the most flexible solution would be to connect the guest to the host through a Universal TUN/TAP device.  This will give the host a virtual NIC that is connected to a corresponding virtual NIC in the guest, via a virtual cross-over cable.  The host can then act as a full router and firewall relative to the guest, just as if you put a second physical NIC in the host and used it to NAT your LAN to the Internet.  Traffic written by the guest shows up on the host's virtual NIC, where you can firewall or route it as appropriate.  The host and guest share a private subnet, so the host can deduce the proper routing automatically.  You can bridge the virtual NIC to the physical NIC, or NAT it if you prefer.

I am unsure if VirtualBox supports this mode of operation.  KVM, an open-source Linux virtualization product, does support it.

----------

## gentoo_ram

I'm using VirtualBox 3.0.4 (the latest).  The feature you probably want to use it Host-only networking.  That will create an interface on your host you can use to communicate with the guest:

```
 Host computer:

(Internet)

eth1      Link encap:Ethernet  HWaddr 00:22:15:41:44:1d  

          inet addr:66.75.xx.xx  Bcast:255.255.255.255  Mask:255.255.252.0

          inet6 addr: fe80::222:15ff:fe41:441d/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

 

(Virtualbox)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  

          inet addr:192.168.4.1  Bcast:192.168.4.255  Mask:255.255.255.0

          inet6 addr: fd05:efbb:4a1b:4:250:8dff:fe9f:19f4/64 Scope:Global

          inet6 addr: fe80::800:27ff:fe00:0/64 Scope:Link

          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1

```

You can control the IP address of the vboxnet0 interface on the host with the VirtualBox GUI or command line.

Then in the guest I just configured a static address:

```
eth0      Link encap:Ethernet  HWaddr 08:00:27:78:c0:86  

          inet addr:192.168.4.10  Bcast:192.168.4.255  Mask:255.255.255.0

          inet6 addr: fd05:efbb:4a1b:4:a00:27ff:fe78:c086/64 Scope:Global

          inet6 addr: fe80::a00:27ff:fe78:c086/64 Scope:Link

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

```

At that point, you can set up Masquerading on the Host just as if vboxnet0 were another internal ethernet adapter.

```

# iptables -vnL FORWARD

Chain FORWARD (policy DROP 3 packets, 252 bytes)

 pkts bytes target     prot opt in     out     source               destination         

1223K   97M ACCEPT     all  --  *      eth1    192.168.0.0/21       0.0.0.0/0           

133K 1289M ACCEPT     all  --  eth1   *       0.0.0.0/0            192.168.0.0/21      state RELATED,ESTABLISHED 

# iptables -nvL -t nat

Chain POSTROUTING (policy ACCEPT 5820K packets, 733M bytes)

 pkts bytes target     prot opt in     out     source               destination         

 8628  507K MASQUERADE  all  --  *      eth1    192.168.0.0/21       0.0.0.0/0           

```

There's a lot more to my network config, but I've only shown the parts relevant to the VirtualBox machine.  I also have rules on stuff coming in from the Internet.  The firewall is completely running on the Host.  Note that no bridge interfaces are created in this configuration.  They are totally unnecessary.  I guess the other thing to note given your other posts is that eth1 and vboxnet0 must be on different subnets  to force everything from the guest to go through your host's firewall.  You don't want the guest directly communicating with the router.  In my case, my host computer is acting as my router for the virtual machine and all other computers in my house.

----------

