Okay friends! I would really appreciate some help this time! =|
I'm using VirtualBox virtualizer and I'm trying to make my guest machines have access to the internet using ONLY a "host-only" network interface (VirtualBox).
According to the official documentation in https://www.virtualbox.org/manual/ch06.html using a "host-only" network interface I have the following "network modes" (accesses)…
VM <-> Host | YES
VM1 <-> VM2 | YES
VM -> Internet | NO
However, there are A LOT of documentations on the internet that informing you can access the internet (using only the "host-only" interface) from a guest machine using the following "trick"/"workaround" (example) on the host machine…
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
I tested many and many examples. The iptables.service
is running correctly on my host machine. WHAT AM I DOING WRONG?
My host is a Linux Manjaro (Linux Arch based).
Thanks a lot!
Below are some sources with information about the "trick"/"workaround" I mentioned…
http://archlinux.org.ru/forum/topic/2219/
http://nerdbynature.de/s9y/2015/06/09/VirtualBox-switching-to-Host-only-networking
https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in
https://cuckoo.sh/docs/installation/host/routing.html
https://downloads.cuckoosandbox.org/docs/installation/guest/network.html
https://github.com/cuckoosandbox/cuckoo/issues/1376
https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/
https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network
https://precisionsec.com/virtualbox-host-only-network-cuckoo-sandbox-0-4-2/
Virtualbox NAT and host-only connection
https://unix.stackexchange.com/questions/74663/virtualbox-nat-host-only-adapter
https://www.howtogeek.com/howto/4922/week-in-geek-the-fixing-slow-internet-in-virtualbox-xp-guest-edition/
https://www.rffuste.com/tag/cuckoo/
https://www.virtualbox.org/manual/ch06.html
Below are some of the MANY examples I tested…
> --------------------------------------------
sudo iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT
< --------------------------------------------
> --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
< --------------------------------------------
> --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
< --------------------------------------------
> --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
< --------------------------------------------
> --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.all.proxy_arp=1
< --------------------------------------------
> --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -o vboxnet0 -j ACCEPT
sudo iptables -A FORWARD -i vboxnet0 -o <HOST_INTERFACE_WITH_INTERNET> -j ACCEPT
< --------------------------------------------
> --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
< --------------------------------------------
> --------------------------------------------
sudo bash -c "printf \"net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.proxy_arp = 1\n\" >> /etc/sysctl.conf"
sudo sysctl -p
sudo iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT
sudo iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT
sudo iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
< --------------------------------------------
> --------------------------------------------
sudo iptables -A POSTROUTING -o enp+ -t nat -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -j MASQUERADE
< --------------------------------------------
> --------------------------------------------
sudo iptables -A PREROUTING -t mangle -i vboxnet+ -j MARK --set-mark 1
sudo iptables -A POSTROUTING -o enp+ -t nat -m mark --mark 1 -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -m mark --mark 1 -j MASQUERADE
< --------------------------------------------
> --------------------------------------------
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
< --------------------------------------------
> --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -I INPUT 1 -i vboxnet0 -j ACCEPT
< --------------------------------------------
> --------------------------------------------
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo sysctl -p /etc/sysctl.conf
sudo iptables -I FORWARD -i vboxnet0 -d 192.168.56.0/255.255.255.0 -j DROP
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -d 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
< --------------------------------------------
Best Answer
INTRODUCTION
It is a complete guide to have the accesses "VM <-> Host", "VM1 <-> VM2" and "VM -> Internet" on the guests using a single network interface ("host-only") on VirtualBox.
IMPORTANT: Run all the commands as "root".
EXECUTE ON HOST
NOTE: We use a Manjaro (Arch based) host as a template. You may need adjustments and changes to other distros.
You need to copy the iptables template configuration file...
... so you can start the "iptables.service".
Enable and start "iptables.service"...
Enable IP forwarding...
Add the following iptables rules. This will forward packets through the host ("vboxnet0") and to the internet...
TEMPLATE I... OR add the following iptables rules...
TEMPLATE IINOTE: On the "TEMPLATE II" you do not need to inform the name of the host interface (
<HOST_INTERFACE_WITH_INTERNET>
) and the name of the VirtualBox interface (vboxnet0
). In that way any host interface that has internet will work, that is, I do not have to adjust the name of the interface that has internet whenever it changes. An example of this is when we change from the wired interface (eg .: enp4s0f2) to the wireless interface (eg: wlp3s0) and vice-versa.FURTHER QUESTION: I presented two ways to configure "iptables" because I do not know if there is any advantage in using the "TEMPLATE I". Any comment?
TIP: To find out the name of the network interface (
<HOST_INTERFACE_WITH_INTERNET>
) that has internet use the "ip a" command.Save rules to iptables configuration and restart the service...
Enable and start "dnsmasq" in host...
NOTE: "dnsmasq" is a small caching DNS proxy and DHCP/TFTP server.
EXECUTE ON GUEST
NOTE: We use a CentOS 7 guest as a template. You may need adjustments and changes to other distros.
Configure the network interface according to the model...
NOTE: The network configuration file is in the "/etc/sysconfig/network-scripts/" folder path.
Eg.:
Restart the network service...
To test...
REFERENCE