VirtualBox - "host-only" with internet
INTRODUCTION
It is a complete guide to have the accesses "VM <-> Host", "VM1 <-> VM2" and "VM -> Internet" on the guests using a single network interface ("host-only") on VirtualBox.
IMPORTANT: Run all the commands as "root".
EXECUTE ON HOST
NOTE: We use a Manjaro (Arch based) host as a template. You may need adjustments and changes to other distros.
You need to copy the iptables template configuration file...
$ cp /etc/iptables/empty.rules /etc/iptables/iptables.rules
... so you can start the "iptables.service".
Enable and start "iptables.service"...
$ systemctl enable --now iptables.service
Enable IP forwarding...
$ sysctl -w net.ipv4.ip_forward=1
$ printf "net.ipv4.ip_forward=1\n" >> /etc/sysctl.d/30-ipforward.conf
Add the following iptables rules. This will forward packets through the host ("vboxnet0") and to the internet...
TEMPLATE I$ iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT
$ iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT
$ iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
... OR add the following iptables rules...
TEMPLATE II$ iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
$ iptables -P FORWARD ACCEPT
$ iptables -t nat -P POSTROUTING ACCEPT
NOTE: On the "TEMPLATE II" you do not need to inform the name of the host interface (<HOST_INTERFACE_WITH_INTERNET>
) and the name of the VirtualBox interface (vboxnet0
). In that way any host interface that has internet will work, that is, I do not have to adjust the name of the interface that has internet whenever it changes. An example of this is when we change from the wired interface (eg .: enp4s0f2) to the wireless interface (eg: wlp3s0) and vice-versa.
FURTHER QUESTION: I presented two ways to configure "iptables" because I do not know if there is any advantage in using the "TEMPLATE I". Any comment?
TIP: To find out the name of the network interface (<HOST_INTERFACE_WITH_INTERNET>
) that has internet use the "ip a" command.
Save rules to iptables configuration and restart the service...
$ iptables-save > /etc/iptables/iptables.rules
$ systemctl restart iptables.service
Enable and start "dnsmasq" in host...
$ systemctl enable --now dnsmasq.service
NOTE: "dnsmasq" is a small caching DNS proxy and DHCP/TFTP server.
EXECUTE ON GUEST
NOTE: We use a CentOS 7 guest as a template. You may need adjustments and changes to other distros.
Configure the network interface according to the model...
NOTE: The network configuration file is in the "/etc/sysconfig/network-scripts/" folder path.
BOOTPROTO=static
DEVICE=<NETWORK_INTERFACE_NAME>
DNS1=<HOST-ONLY_HOST_IP>
GATEWAY=<HOST-ONLY_HOST_IP>
IPADDR=<HOST-ONLY_GUEST_IP>
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=
Eg.:
BOOTPROTO=static
DEVICE=eno16777736
DNS1=192.168.56.1
GATEWAY=192.168.56.1
IPADDR=192.168.56.101
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=
Restart the network service...
$ systemctl restart network.service
To test...
$ curl http://www.google.com
REFERENCE
- https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/
- https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in
- https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network
- http://archlinux.org.ru/forum/topic/2219/
- https://wiki.archlinux.org/index.php/Iptables
- https://wiki.archlinux.org/index.php/Internet_sharing
Eduardo Lucio
I am a GENERALIST IN IT and ENTHUSIAST of all the technologies that involve OPEN LICENSE/CODE SOFTWARE AND LOW/ZERO COST as this is a VIABLE, PROFITABLE AND CREDIBLE BUSINESS MODEL. I have approximately 10 years of career and special interest in the development of new products.
Updated on September 18, 2022Comments
-
Eduardo Lucio over 1 year
Okay friends! I would really appreciate some help this time! =|
I'm using VirtualBox virtualizer and I'm trying to make my guest machines have access to the internet using ONLY a "host-only" network interface (VirtualBox).
According to the official documentation in https://www.virtualbox.org/manual/ch06.html using a "host-only" network interface I have the following "network modes" (accesses)...
VM <-> Host | YES VM1 <-> VM2 | YES VM -> Internet | NO
However, there are A LOT of documentations on the internet that informing you can access the internet (using only the "host-only" interface) from a guest machine using the following "trick"/"workaround" (example) on the host machine...
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1
I tested many and many examples. The
iptables.service
is running correctly on my host machine. WHAT AM I DOING WRONG?My host is a Linux Manjaro (Linux Arch based).
Thanks a lot!
Below are some sources with information about the "trick"/"workaround" I mentioned...
http://archlinux.org.ru/forum/topic/2219/ http://nerdbynature.de/s9y/2015/06/09/VirtualBox-switching-to-Host-only-networking https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in https://cuckoo.sh/docs/installation/host/routing.html https://downloads.cuckoosandbox.org/docs/installation/guest/network.html https://github.com/cuckoosandbox/cuckoo/issues/1376 https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/ https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network https://precisionsec.com/virtualbox-host-only-network-cuckoo-sandbox-0-4-2/ Virtualbox NAT and host-only connection https://unix.stackexchange.com/questions/74663/virtualbox-nat-host-only-adapter https://www.howtogeek.com/howto/4922/week-in-geek-the-fixing-slow-internet-in-virtualbox-xp-guest-edition/ https://www.rffuste.com/tag/cuckoo/ https://www.virtualbox.org/manual/ch06.html
Below are some of the MANY examples I tested...
> -------------------------------------------- sudo iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE sudo sysctl net.ipv4.ip_forward=1 sudo iptables -P FORWARD ACCEPT sudo iptables -t nat -P POSTROUTING ACCEPT < -------------------------------------------- > -------------------------------------------- sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1 < -------------------------------------------- > -------------------------------------------- sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1 < -------------------------------------------- > -------------------------------------------- sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -t nat -F POSTROUTING sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward" < -------------------------------------------- > -------------------------------------------- sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1 sudo sysctl -w net.ipv4.conf.all.proxy_arp=1 < -------------------------------------------- > -------------------------------------------- sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -F sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -o vboxnet0 -j ACCEPT sudo iptables -A FORWARD -i vboxnet0 -o <HOST_INTERFACE_WITH_INTERNET> -j ACCEPT < -------------------------------------------- > -------------------------------------------- sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -A POSTROUTING -t nat -j MASQUERADE sudo sysctl -w net.ipv4.ip_forward=1 < -------------------------------------------- > -------------------------------------------- sudo bash -c "printf \"net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.proxy_arp = 1\n\" >> /etc/sysctl.conf" sudo sysctl -p sudo iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT sudo iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT sudo iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE < -------------------------------------------- > -------------------------------------------- sudo iptables -A POSTROUTING -o enp+ -t nat -j MASQUERADE sudo iptables -A POSTROUTING -o wlp+ -t nat -j MASQUERADE < -------------------------------------------- > -------------------------------------------- sudo iptables -A PREROUTING -t mangle -i vboxnet+ -j MARK --set-mark 1 sudo iptables -A POSTROUTING -o enp+ -t nat -m mark --mark 1 -j MASQUERADE sudo iptables -A POSTROUTING -o wlp+ -t nat -m mark --mark 1 -j MASQUERADE < -------------------------------------------- > -------------------------------------------- sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -s 192.168.56.0/24 -j MASQUERADE sudo iptables -P FORWARD DROP sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT < -------------------------------------------- > -------------------------------------------- sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT sudo iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE sudo iptables -I INPUT 1 -i vboxnet0 -j ACCEPT < -------------------------------------------- > -------------------------------------------- echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward sudo sysctl -p /etc/sysctl.conf sudo iptables -I FORWARD -i vboxnet0 -d 192.168.56.0/255.255.255.0 -j DROP sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/255.255.255.0 -j ACCEPT sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -d 192.168.56.0/255.255.255.0 -j ACCEPT sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE < --------------------------------------------
-
Darius over 6 yearsaskubuntu.com/questions/293816/… has the clue - 2 Network Interfaces. 1 Host-Only, and 1 NAT. NAT allows you internet access, and the Host-Only... well do what you want with it. Or you mean to have a purely host-only networking and still have internet access?
-
Eduardo Lucio over 6 years@Darius "Or you mean to have a purely host-only networking and still have internet access?" -> Yes! Exactly! Thanks!
-