3

I would like to create the following network:

Internet ---- Host machine ---- VM1 ---(local network)-- VM2

with VM1 acting as a NAT router. VM1 and VM2 run Ubuntu via VirtualBox.

To achieve this, I created a local network 192.168.46.x for VM1 (192.168.46.101) & VM2 (192.168.46.102). I also set the value in /proc/sys/net/ipv4/ip_forward to 1 (for VM1). In addition to that, I attached VM1 to NAT.

With this configuration, I can ping VM1 from VM2 and vice versa, and I can also ping google.com from VM1.

I thought that for being able to ping google.com from VM2, I would have just to add the following entry to VM2's routing table:

Dest      Gateway         Netmask        Iface
0.0.0.0   192.168.46.101  255.255.255.0  enp0s3

(where enp0s3 is the only network interface of VM2).

But still, VM2 gets "unknown host google.com" when pinging.

Could you help me figure out why?

ifconfig for VM1, ifconfig for VM2, route -n for VM1, route -n for VM2

manuch100
  • 71
  • can you ping 8.8.8.8? What nameserver(s) is/are VM2 using? – Gansheim Dec 21 '17 at 20:53
  • @hamiheim I am not able to ping 8.8.8.8 (network unreachable).To solve this, I added the same nameserver for VM2 than for VM1 (127.0.1.1), and now I get "Destination host unreachable". Is the problem in my routing tables? – manuch100 Dec 22 '17 at 09:19
  • Possibly. Run traceroute 8.8.8.8 from VM2 and see where the packets are dropping. – Gansheim Dec 22 '17 at 13:22
  • They are indeed dropping after reaching 192.68.46.101 (VM1's interface to the Internal network). To resolve this, I tried to run the following commands: – manuch100 Dec 22 '17 at 15:34
  • Sounds like you don't have routing setup correctly on VM1. Can you post the iptables nat and security configs for VM1. sudo iptables -t nat -L and sudo iptables -t security -L respectively. – Gansheim Dec 22 '17 at 16:08
  • My iptables were empty. Now I understand the problem, thanks! I will post the answer below. – manuch100 Dec 22 '17 at 16:19

1 Answers1

4

I was actually missing some entries to iptables, added as follows:

# iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE
# iptables -A FORWARD -i enp0s8 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT

with enp0s8 the interface to the outer world, and enp0s3 the interface to the Internal network.

Requests to the Internet from VM2 are now working... :)

manuch100
  • 71
  • I have one question, what is for this rule: > iptables -A FORWARD -i enp0s8 -o enp0s3 -m state --state RELATED,ESTABLISHED -j ACCEPT

    if on next rule: iptables -A FORWARD -i enp0s8 -o enp0s3 -j ACCEPT You are forwarding everything :)

     – dominbdg Dec 20 '20 at 19:05
  • @DominikKonczewski You're probably right, I wrote that a few years ago and probably didn't realise at the time that one rule overlapped the other. – manuch100 Jan 01 '21 at 02:25
  • your second rule should be -i enp0s3 -o enp0s8 to accept return packets for established flows. You should also switch to the conntrack extension instead: iptables -A FORWARD -i enp0s3 -o enp0s8 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT – Greg Bray May 31 '23 at 19:12