Re: iptables, virtualbox and port forwarding
Le 28.05.2014 00:13, Joe a écrit :
On Tue, 27 May 2014 18:24:41 +0200
berenger.morel@neutralite.org wrote:
Hello list.
I am trying to build a virtual network exposing servers accessible
from the LAN.
I have done a lot of searches on the web and it worked last week,
but
since then, I have restarted my computer and had the nice surprise
to
learn that the iptables command does not save it's configuration.
I tried to retrieve my configuration, but am failing ( I tried to
understand what I did with the history command, but sadly I am
always
working with tons of terminals and so, I suspect that it is not the
correct history... ), and same to find anew the articles which
actually make things working.
I had some network knowledge in the past, but never really practiced
it, so I have lost almost everything. I already have used some
firewalls, but those were some Windows ones ( I was not a linux user
at that time ) and so I have never played with iptables.
So I ask for 2 things:
_ help on this particular problem
_ if someone knows about resources to learn and understand how
exactly iptables work, this would help me a lot in the future
Google will provide you with many thousands. The usual question
arises
as to which of them are up to date, there have been a few small
changes
in iptables, and some may rely on the sysv init system, which is fast
disappearing.
Yes, and this is exactly the problem, I have spent a lot of time on
search engines, which allowed me to have port forwarding working from
172.20.14.XX:80 to 10.10.10.30:80.
Problem is, rules vanished since then, and my memory about the exact
configuration or search keywords too.
And to add to the fun, I remember having discovered after several hours
last week that the port forwarding rules I built did not allowed the
host computer to access the VM, at least, not when asking on host'IP (
aka 172.20.14.XX ).
So, maybe it did worked before I discovered that particular point.
Debian also has the package
iptables-persistent, which does just this.
Thanks for the hints, they will be useful.
For my particular problem.
Sorry about this, routing to VMs can offer unexpected challenges, and
I
haven't used any with any routing complexity for a few years, so I
can't help much. The only VM I currently use does NAT.
As I recall, broadly, to avoid NAT, the VM must use a bridging
network
connection (virtualbox does either easily) and the VMs must therefore
have IP addresses compatible with the TCP/IP settings of the real
NIC,
in other words they must be set up as if they are real machines on
the
same network as the host. I vaguely recall setting up the real NIC as
a
br0 interface rather than eth0, plus a bit more tweaking. I think. It
is
some time since I did this, and there is no remaining evidence.
[Further
disclaimers as required]. It is also possible that the virtualbox
system does more to help now.
In fact, I used the package vlan and some configuration inside
/etc/network/interface of the host to have the host having a virtual
second ethernet connexion, on which the VMs are connected.
In the facts, there are 2 LANs, with the host computer being the
router.
Oh, yes, if IPv6 is allowed into your network, there is also an
ip6tables, which is completely independent of the v4 system, and by
default allows anything anywhere. I currently have no use for v6, so
I've just added drop policies to my main ruleset, and that seems to
work.
--
Joe
I do not think I need ipv6 for now. I'll start with the probably easier
ipv4, and maybe someday I'll experiment with the v6, if I have the
opportunity to work in a v6 LAN.
Reply to: