Manjaro and VirtualBox - "host-only" with internet

network
virtualbox
virtualisation

#1

Okay friends! I would really appreciate some help this time! =|

I’m using VirtualBox virtualizer and I’m trying to make my guest machines have access to the internet using ONLY a “host-only” network interface (VirtualBox).

According to the official documentation in https://www.virtualbox.org/manual/ch06.html using a “host-only” network interface I have the following “network modes” (accesses)…

VM  <-> Host     | YES
VM1 <-> VM2      | YES
VM   -> Internet | NO

However, there are A LOT of documentations on the internet that informing you can access the internet (using only the “host-only” interface) from a guest machine using the following “trick”/“workaround” (example) on the host machine…

sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

I tested many and many examples. The iptables.service is running correctly on my host machine. WHAT AM I DOING WRONG?

Thanks a lot!

Below are some sources with information about the “trick”/“workaround” I mentioned…

http://archlinux.org.ru/forum/topic/2219/
http://nerdbynature.de/s9y/2015/06/09/VirtualBox-switching-to-Host-only-networking
https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in
https://cuckoo.sh/docs/installation/host/routing.html
https://downloads.cuckoosandbox.org/docs/installation/guest/network.html
https://github.com/cuckoosandbox/cuckoo/issues/1376
https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/
https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network
https://precisionsec.com/virtualbox-host-only-network-cuckoo-sandbox-0-4-2/
https://superuser.com/questions/1223801/virtualbox-nat-and-host-only-connection/1223853
https://unix.stackexchange.com/questions/74663/virtualbox-nat-host-only-adapter
https://www.howtogeek.com/howto/4922/week-in-geek-the-fixing-slow-internet-in-virtualbox-xp-guest-edition/
https://www.rffuste.com/tag/cuckoo/
https://www.virtualbox.org/manual/ch06.html

Below are some of the MANY examples I tested…

 > --------------------------------------------
sudo iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.all.proxy_arp=1
 < --------------------------------------------
 > --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -o vboxnet0 -j ACCEPT
sudo iptables -A FORWARD -i vboxnet0 -o <HOST_INTERFACE_WITH_INTERNET> -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo bash -c "printf \"net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.proxy_arp = 1\n\" >> /etc/sysctl.conf"
sudo sysctl -p
sudo iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT
sudo iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT
sudo iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A POSTROUTING -o enp+ -t nat -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A PREROUTING -t mangle -i vboxnet+ -j MARK --set-mark 1
sudo iptables -A POSTROUTING -o enp+ -t nat -m mark --mark 1 -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -m mark --mark 1 -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -I INPUT 1 -i vboxnet0 -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo sysctl -p /etc/sysctl.conf
sudo iptables -I FORWARD -i vboxnet0 -d 192.168.56.0/255.255.255.0 -j DROP
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -d 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
 < --------------------------------------------

Is it possible to update the virtualbox?
#2

Why are you doing this?

Just use a Virtualbox Nat interface as the developers intended, instead of trying to re-invent the wheel. Your vm will still be protected by the vm router, and multiple vms can still talk to each other.

Instead you are trying to end-run the purpose of VirtualBox Host Only network by breaking out of the sandbox it created.


#3

@jsamyth I do not want to have to use two interfaces (“NAT Network” and “Host-only”) to be able to access the resources of my guest and allow my guest to access the internet. The idea is to be able to access my guest on an isolated network from the host (vice-versa) and allow the guest to access the internet using only one interface (“Host-only”). I can not understand what the problem is in this since it makes my life completely easier. VMWare does this perfectly. At the moment I’m trying to migrate from VMWare to VirtualBox. Thanks!


#4

But i think that would be solved by using Bridged Adapter. That way both the Host and Guest have same IP family, the guest has access to internet and you can share resources as in a normal local network. No need for 2 adapters.
Maybe i’m missing something …


#5

@bogdancovaciu Yes! Your statement is perfectly correct! The problem with the “Bridged” interface is that I put a guest machine inside the network of my clients which is a big problem and also does not allow me portability (I have to adjust my guest network rules to my clients rules every time).


#6

Oh, i see. Have you created the Host-Only Network interface in the main VirtualBox Preferences ? Not only in the Guest Settings …


#7

Yes I did it. Thank you! :grin:


#8

Vmware does this EXACTLY the same way as Virtualbox.
They supply three interface types, bridged, nat, and host only.

Converting host only to the equivalent of nat with a boat load of iptables scripts is foolish and unnecessary. You’ve opened a vulnerability to your virtual machines. You’ve enabled a call-home portal.

If you used a NAT second interface defined for the VM you could just shut it down (disconnect it) when you didn’t want it. Yours method has it always up and open till you diddle with your iptables again.

Please explain why adding a second interface to a virtual machine frightens you into writing all that iptables scripts?

Don’t get me wrong. Its your machine and you can do it any convoluted way you want, but nobody is going to be able to help you with that because nobody does it that way. Take that over to the Virtualbox forum and they will probably laugh you right out of there.


#9

This actually brings up a question on why it wasn’t asked in Virtualbox forums because this isn’t specifically a technical problem related to Manjaro.


#10

@jsamyth I believe that your positions (“will probably laugh you” and so on…) completely detract from the sense of the forum of my beloved and brilliant Manjaro. I am sure that this is not the posture of its creators (I quote the Manjaro Team as well).
@jsamyth I have 15 years of market, I participated in several elections in the “stackexchange”, I have lots and lots of contributions for the free software in forums out there (believe me, there is not a little) and, frankly, I have already come across dozens of guys out there who have postures like yours (“foolish and unnecessary” and blah, blah, blah…) and I do not know what kind of contributions they give by saying that sort of thing.
This is definitely not “my way”. I will no longer respond to things of this nature, but I would greatly appreciate it if you tried to help me.

Thanks anyway! I respect you!


#11

@PenguinRage I’ve brought this thread to this forum as there are commands that will run on Manjaro and I want to make a schematic oriented to it. Manjaro is my platform of choice and I use it to work. I have done my best to enrich Manjaro precisely because of the quality of this forum and the quality of the platform (“Professional and user-friendly Linux at its best.” :grinning:).


#12
  • INTRODUCTION:

It is a complete guide to have the accesses “VM <-> Host”, “VM1 <-> VM2” and “VM -> Internet” on the guests using a single network interface (“host-only”) on VirtualBox.

IMPORTANT: Run all the commands as “root”.

  • EXECUTE ON   H O S T  :

NOTE: We use a Manjaro (Arch based) host as a template. You may need adjustments and changes to other distros.

You need to copy the iptables template configuration file…

cp /etc/iptables/empty.rules /etc/iptables/iptables.rules

… so you can start the “iptables.service”.

Enable and start “iptables.service”…

systemctl enable iptables.service
systemctl start iptables.service

Enable IP forwarding…

sysctl -w net.ipv4.ip_forward=1
printf "net.ipv4.ip_forward=1\n" >> /etc/sysctl.d/30-ipforward.conf

Add the following iptables rules. This will forward packets through the host (“vboxnet0”) and to the internet…

TEMPLATE I:

iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT
iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE

OR add the following iptables rules…

TEMPLATE II:

iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

NOTE: On the “TEMPLATE II” you do not need to inform the name of the host interface (<HOST_INTERFACE_WITH_INTERNET>) and the name of the VirtualBox interface (vboxnet0). In that way any host interface that has internet will work, that is, I do not have to adjust the name of the interface that has internet whenever it changes. An example of this is when we change from the wired interface (eg .: enp4s0f2) to the wireless interface (eg: wlp3s0) and vice-versa.

FURTHER QUESTION: I presented two ways to configure “iptables” because I do not know if there is any advantage in using the “TEMPLATE I”. Any comment?

TIP: To find out the name of the network interface (<HOST_INTERFACE_WITH_INTERNET>) that has internet use the “ip a” command.

Save rules to iptables configuration and restart the service…

iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables.service

Enable and start “dnsmasq” in host…

systemctl enable dnsmasq.service
systemctl start dnsmasq.service

NOTE: “dnsmasq” is a small caching DNS proxy and DHCP/TFTP server.

  • EXECUTE ON   G U E S T  :

NOTE: We use a CentOS 7 guest as a template. You may need adjustments and changes to other distros.

Configure the network interface according to the model…

NOTE: The network configuration file is in the “/etc/sysconfig/network-scripts/” folder path.

BOOTPROTO=static
DEVICE=<NETWORK_INTERFACE_NAME>
DNS1=<HOST-ONLY_HOST_IP>
GATEWAY=<HOST-ONLY_HOST_IP>
IPADDR=<HOST-ONLY_GUEST_IP>
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=

Eg.:

BOOTPROTO=static
DEVICE=eno16777736
DNS1=192.168.56.1
GATEWAY=192.168.56.1
IPADDR=192.168.56.101
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=

Restart the network service…

systemctl restart network.service

To test…

curl http://www.google.com

That’s all folks! =D

  • REFERENCE:

https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/
https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in
https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network
http://archlinux.org.ru/forum/topic/2219/
https://wiki.archlinux.org/index.php/Iptables
https://wiki.archlinux.org/index.php/Internet_sharing


#13

Yeah, I would never do this iptables hack, not in a million years.

Simply use two virtual adapters, one host and one nat.


#14

@sueridgepipe I respect your opinion, but unfortunately it is not the opinion of the vast majority and this includes all my co-workers who, believe me, are very happy to know that this was possible. In fact, this limitation was the only reason we still use VMWare. We have been trying to switch to VirtualBox for a long time because we prefer to use open license software and/or open source software. A much bigger problem is I put my virtual machines into the corporate networks of my clients using rules from their networks. Each professional has its own reality of use. We can not generalize! Thank you!


#15

I wouldn’t use two virtual adapters.
Just one NAT adapter per Virtual Machine.

  1. Start Vbox Manager / File / Preferences / Network / Nat Network Tab / Plus-sign to add a natnetwork
    Take all the defaults. Click Supports DHCP (if desired).

  2. Set up your virtual machines, adding ONLY the NAT adapter, on the settings / Network, and in Attach To, select Nat Network

  3. Boot the VM(s), set up the only adapter for DHCP (as above)

  4. Return to Vbox Manager File Preferences Network, and put in any port Forwarding you might need (if any).

  5. ping around to make sure you can ping the net, the other VMs (if any), the host (via its external ip AND the nat-network IP (usually 10.0.2.1).

Done!

“VM <-> Host”, “VM1 <-> VM2” and “VM -> Internet” one one interface done the right way.


#17

Thanks for your suggestion! But according to the documentation at https://www.virtualbox.org/manual/ch06.html using “NAT Network” mode we do not have the communication “VM <-> Host”. This does not meet our need. Also, apparently, we need to configure “Port Forwarding”. For these reasons, I still do not see problems in the approach presented, because it meets our need. Thanks amigo! :grin:

IMPORTANT: I would have no problem using your approach if it attended to what we needed!


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.