Tutorials, Ubuntu|April 21, 2011 5:34 pm

Visited 9,749 times.

Virtualbox: Give Internet to a Host-only Virtual Machine with iptables

Virtualbox is a popular software for virtualization, and is distributed for free on www.virtualbox.org. I had the pleasure to work with this software to create and manage virtual servers in order to reduce costs, and of course, to learn more about virtual networks and environments.

Recently I had the problem to give internet to one of my virtual networks, and especially to give one of them the service of web server. Many people told me in forums to use “NAT” as direct connection to my webserver, but really I don’t want it since I have a array of virtual servers on my host machine. This creates an additional problem : Giving internet to a Host-Only network. This problem is very common and very few answered.

Finally I got with a practical solution using IPTABLES. I know many of you may be using windows as operative system for your needs, but in my case our business solution include ubuntu server edition, so the things changes a lot… Also many of the solutions I read in other places are not very well detailed, so I’ll write this solution in detail, so you wont get lost trying to figure out what was happening

Network Configuration and VirtualBox configuration

To sumarize the configuration i had on my server, ill embed a graphic about how is configured the server that acts as gateway/firewall, and the VB network including my virtual webserver.

First, we have a dedicated server to host other web services (such slicehost). This server is hooked up to a T1 dedicated internet connection. No other than this server is physically connected to internet. So this server will behave  as Gateway and firewall at the same time.

This server also has VirtualBox as Host Service. We don’t have enough money to buy infrastructure and servers, but we can install virtual servers for determinated services such email service, web service, dns, etc.

My virtual network has a My virtual server for web hosting is a simple LAMP server with ssh server service, and other Virtual server windows 2003 server with databases.

When you create a Virtual Network using Host-only device, VirtualBox will add a virtual network card to your Host server; this will allow us to have certain interactivity with the devices attached to that network. If you are using  the GUI you can go to the VirtualBox Window and go: File -> Preferences -> Network, then you can configure our virtual network device and  the DHCP server as well:

This is the Adapter configuration

And this the DHCP Configuration

Now, if you are using console instead GUI you can use this instead (this should be one single line)

$ VBoxManage dhcpserver add --ifname vboxnet0 --ip 10.10.10.1 --netmask 255.255.255.0 --lowerip 10.10.10.10 --upperip 10.10.10.20 --enable

Understanding the task of the Gateway and the task of VB Host-Only network

If we have a network, regardless if  it is virtual or physical, it is important that the gateway/firewall network to internet is established. Usually static ip servers has only one network card if it is just used as host service, for example, a web server, or a mail server. I consider at this point you know that we are talking about Public IP addresses, so our main connection at the moment of installation of Ubuntu-server becomes eth0, with public ip properties like:

Ip address: 215.220.145.221
subnet Mask : 255.255.255.248
Gateway : 215.220.145.220

Dns’s : 200.5.3.155 200.5.3.160

If you use a router before the server, the router will provide you a IP address based in its internal DHCP service, but in this case we won’t touch this topic since our server is behaving as router, at the same time as firewall.

Now let’s suppose we have an additional network card where our client servers/computers will be connected to internet. In this case we need to provide them especific configurations related to the name servers and DNS servers. For example, lets say one of our servers is hooked up to the network on our second netcard:

Ip address : 10.10.10.15
subnet Mask :255.255.255.0
gateway 10.10.10.1

Until here there is not problem, either if it is configurated as DHCP we will have similar values. The DNS addresses should be resolving both the current gateway, the public ip of the server and the DNS’s the public ip card has:

Dns : 10.10.10.1 215.220.145.221 200.5.3.155 200.5.3.160

Sadly in VirtualBox we cannot extend this feature on the options, so we need to write this values on each virtual server hooked up to our virtual netcard vboxnet0.

So at the end of the day, we can hook up virtual servers to be on our virtual netcard. we can ping from the host to the guest virtual server, and likewise from the virtual guest machine to the host. Only left the services to provide internet.

Network configuration of the Gateway/firewal/ VM Host Machine

Managing IPTABLES to give internet and services

To solve our problem of connectivity, the use of IPTABLES will save us a lot of time. I had very hard times to understand how to provide internet from our gateway to an internal network, so I realize thanks to the tutorial of  Pello Xabier Altadill Izura on pello.info that is posible to do this. I figured out that is the same problem to connect a physical network; the only difference was that I’m using a host-only network that behaves as physical network. (sorry if it is in spanish, but the examples are very well detailed)

So I find and example that I was quite interested for my case, and works very well! :) We can debug if the tables are working we write at the end of the command something like

.... && echo "Rule 16 ok"

And also test if our machines can connect properly to internet. Basically the following script has the following steps:

  1. iptable clean rules
  2. opening ports
  3. internal backloop
  4. Port-forwarding activation
  5. port-forwarding configuration
  6. network configuration for our virtual network
  7. virtual network masquerade
  8. Network protection of unneeded ports
  9. Testing

I admit it can be difficult to understand at once, but if you do not read the tutorial on pello.info is quite difficult even if you know a little bit of iptables rules.

Now let’s setup our iptables for our virtualbox host-only network. Remeber that  the public ip address of the host/gateway server is xxx.xxx.xxx.xxx. This iptables should be executed on the host server!!!! Remember that our host server also is gateway and firewall at the same time…


clear
# cleaning Firewall Rules , change ACCEPT to DROP if you want to shield
# the server, then you open ports as you need
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

# opening INPUT ports (if you choose DROP above, this list may be very
# detailed  on what ports you want to use)
iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT && echo "rule 1 ok"
iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT  && echo "rule 2 ok"
iptables -A INPUT --protocol tcp --dport 10000 -j ACCEPT  && echo "rule 3 ok"
iptables -A INPUT --protocol tcp --dport 2222 -j ACCEPT  && echo "rule 4 ok"
iptables -A INPUT --protocol tcp --dport 15410 -j ACCEPT  && echo "rule 5 ok"
iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT  && echo "rule 6 ok"

#allow Loopback and networks
iptables -A INPUT -i lo -j ACCEPT  && echo "rule 7 ok"
#Accept any input from 10.10.10.0 network in vboxnet0 interface
iptables -A INPUT -s 10.10.10.0/24  -i vboxnet0 -j ACCEPT  && echo "rule 8 ok"

#enable Port forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Opening PREROUTING - Filtering : this make the port forwarding trick.
# Forward as many ports you want to certain machines of the network to
# provide services such web server, ftp server, etc...
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 80 -j DNAT --to 10.10.10.10:80  && echo "rule 9 ok"
iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx --dport 53 -j DNAT --to 10.10.10.14:53  && echo "rule 10 ok"
iptables -t nat -A PREROUTING -p udp -i eth0 -d xxx.xxx.xxx.xxx --dport 53 -j DNAT --to 10.10.10.14:53  && echo "rule 11 ok"
iptables -t nat -A PREROUTING -p udp -i eth0 -d xxx.xxx.xxx.xxx --dport 21 -j DNAT --to 10.10.10.16:21  && echo "rule 12 ok"

#Opening FORWARD ports for network services on vlan
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 80 -j ACCEPT && echo "rule 13 ok"
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 21 -j ACCEPT  && echo "rule 14 ok"
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 68 -j ACCEPT  && echo "rule 15 ok"
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 22 -j ACCEPT  && echo "rule 16 ok"
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p tcp --dport 53 -j ACCEPT && echo "Rule 17 ok"
iptables -A FORWARD -s 10.10.10.0/24 -i vboxnet0 -p udp --dport 53 -j ACCEPT && echo "Rule 18 ok"

# Opening POSTROUTING PROCESSES
# Netmasking is absolutelly necesary to protect vlan from attacks, only it hides their ip....
iptables -t nat -A POSTROUTING -s 10.10.10.0 -o eth0 -j MASQUERADE  && echo "rule 19 ok"

# closing ports that does not need,
# if server needs, open a new prerouting filter and a new forward port to make this working.
iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p tcp --dport 1:1024 -j DROP && echo "rule 20 ok"
iptables -A INPUT -s 0.0.0.0/0 -i eth0 -p udp --dport 1:1024 -j DROP && echo "rule 21 ok"

# test and display the rules if runs properly
iptables -L -n

Do not forget to add this rules on boot of the server and reboot your server.

Here is the final result with a virtual machine, with a host-only network device accessing internet

Possible problems

Services on a virtual server denies to start some services, like MySQL server

changing the /etc/resolv.conf file on your virtual machine will solve the problem adding the correct nameservers. If it persist you should reconsider other options. At the end I finish reinstalling my web-server from zero and the problem (especially one related to MySQL server : unable to connect to system bus: failed to connect to socket /var/run/system_bus_socket) was fixed.

If you find this useful, leave a comment ^^

2 Comments

Leave a Reply


Human Verification: In order to verify that you are a human and not a spam bot, please enter the answer into the following box below based on the instructions contained in the graphic.


%d bloggers like this: