My Ubuntu 12.04 (precise) laptop has three network interfaces:
eth0
: wired interface sometimes connected to the Internetwlan0
: wireless interface sometimes connected to the Internetvboxnet0
: wired interface (actually a VirtualBox virtual interface) connected to another computer (actually a VirtualBox virtual machine with networking in host-only mode)
I'd like to use iptables
to set up NAT/IP masquerading to share whichever Internet connection is up (preferring the wired if both are up) with the other computer.
The following works when eth0
is plugged in:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward &&
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE &&
sudo iptables -A FORWARD -i eth0 -o vboxnet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -A FORWARD -i vboxnet0 -o eth0 -j ACCEPT
If I switch from wired to wireless, this obviously stops working.
I tried:
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward &&
sudo iptables -t nat -A POSTROUTING -o '!vboxnet0' -j MASQUERADE &&
sudo iptables -A FORWARD -i '!vboxnet0' -o vboxnet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -A FORWARD -i vboxnet0 -o '!vboxnet0' -j ACCEPT
but it did not work. I could try to do some Network Manager scripts to change the iptables
rules whenever an interfaces goes up or down, but I figured it would be possible without jumping through such hoops.
Any suggestions?
Best Answer
Simple
Here's a very simple
iptables
ruleset that masquerades everything. This one works for many simpler setups. It won't work if the box is working as a full-blown router — it has a potentially nasty habit of NATting all traffic that leaves your computer.Full
If the simple solution fails to work, or if your configuration is more complex, this ruleset might help:
It marks packets coming in through any
vboxnet*
interface, then, later, masquerades (SNAT) any packets going out ofeth*
orwlan*
with the mark set.Also…
In addition to the
iptables
rules, you'll need to turn your host computer into a router by enabling packet forwarding. Put:in
/etc/sysctl.conf
, then sayAlternatively:
The guest must also have a default route that gateways packets through the host's external interfaces (and for this, chances are host-only mode just won't work). Check its routing table (this depends on the guest OS).
Also, install
wireshark
ortshark
and use them to examine packets. There's no better way to solve generic networking issues like this one.Personally, I'd suggest changing the guest to use bridged mode networking and making available to it both of the host's interfaces. Then it can connect on its own, using the DHCP service on your router to get a local address on its own. No NAT needed.