VirtualBox - "host-only" with internet

Question

Okay friends! I would really appreciate some help this time! =|

I'm using VirtualBox virtualizer and I'm trying to make my guest machines have access to the internet using ONLY a "host-only" network interface (VirtualBox).

According to the official documentation in https://www.virtualbox.org/manual/ch06.html using a "host-only" network interface I have the following "network modes" (accesses)...

VM  <-> Host     | YES
VM1 <-> VM2      | YES
VM   -> Internet | NO

However, there are A LOT of documentations on the internet that informing you can access the internet (using only the "host-only" interface) from a guest machine using the following "trick"/"workaround" (example) on the host machine...

sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1

I tested many and many examples. The iptables.service is running correctly on my host machine. WHAT AM I DOING WRONG?

My host is a Linux Manjaro (Linux Arch based).

Thanks a lot!

Below are some sources with information about the "trick"/"workaround" I mentioned...

http://archlinux.org.ru/forum/topic/2219/ http://nerdbynature.de/s9y/2015/06/09/VirtualBox-switching-to-Host-only-networking https://askubuntu.com/questions/293816/in-virtualbox-how-do-i-set-up-host-only-virtual-machines-that-can-access-the-in https://cuckoo.sh/docs/installation/host/routing.html https://downloads.cuckoosandbox.org/docs/installation/guest/network.html https://github.com/cuckoosandbox/cuckoo/issues/1376 https://jackal777.wordpress.com/2012/02/13/internet-access-in-virtualbox-host-only-networking/ https://kyrofa.com/posts/virtualbox-internet-access-with-host-only-network https://precisionsec.com/virtualbox-host-only-network-cuckoo-sandbox-0-4-2/ Virtualbox NAT and host-only connection https://unix.stackexchange.com/questions/74663/virtualbox-nat-host-only-adapter https://www.howtogeek.com/howto/4922/week-in-geek-the-fixing-slow-internet-in-virtualbox-xp-guest-edition/ https://www.rffuste.com/tag/cuckoo/ https://www.virtualbox.org/manual/ch06.html

Below are some of the MANY examples I tested...

 > --------------------------------------------
sudo iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -P POSTROUTING ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.all.proxy_arp=1
 < --------------------------------------------
 > --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -F
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -o vboxnet0 -j ACCEPT
sudo iptables -A FORWARD -i vboxnet0 -o <HOST_INTERFACE_WITH_INTERNET> -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A POSTROUTING -t nat -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
 < --------------------------------------------
 > --------------------------------------------
sudo bash -c "printf \"net.ipv4.ip_forward = 1\nnet.ipv4.conf.all.proxy_arp = 1\n\" >> /etc/sysctl.conf"
sudo sysctl -p
sudo iptables -t filter -I FORWARD --in-interface vboxnet0 --out-interface <HOST_INTERFACE_WITH_INTERNET> --source 192.168.56.0/24 -j ACCEPT
sudo iptables -t filter -I FORWARD --in-interface <HOST_INTERFACE_WITH_INTERNET> --out-interface vboxnet0 --destination 192.168.56.0/24 -j ACCEPT
sudo iptables -t nat -I POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A POSTROUTING -o enp+ -t nat -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -A PREROUTING -t mangle -i vboxnet+ -j MARK --set-mark 1
sudo iptables -A POSTROUTING -o enp+ -t nat -m mark --mark 1 -j MASQUERADE
sudo iptables -A POSTROUTING -o wlp+ -t nat -m mark --mark 1 -j MASQUERADE
 < --------------------------------------------
 > --------------------------------------------
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -s 192.168.56.0/24 -j MASQUERADE
sudo iptables -P FORWARD DROP
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 192.168.56.0/24 -d 192.168.56.0/24 -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
sudo sysctl -w net.ipv4.ip_forward=1
sudo iptables -A FORWARD -o <HOST_INTERFACE_WITH_INTERNET> -i vboxnet0 -s 192.168.56.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.56.0/24 -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
sudo iptables -I INPUT 1 -i vboxnet0 -j ACCEPT
 < --------------------------------------------
 > --------------------------------------------
echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo sysctl -p /etc/sysctl.conf
sudo iptables -I FORWARD -i vboxnet0 -d 192.168.56.0/255.255.255.0 -j DROP
sudo iptables -A FORWARD -i vboxnet0 -s 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -A FORWARD -i <HOST_INTERFACE_WITH_INTERNET> -d 192.168.56.0/255.255.255.0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o <HOST_INTERFACE_WITH_INTERNET> -j MASQUERADE
 < --------------------------------------------

Eduardo Lúcio · Accepted Answer · 2024-08-15T17:30:51.720

INTRODUCTION

It is a complete guide to have the accesses "Guest-A <-> Host", "Guest-A <-> Guest-B" and "Guest-A -> Internet" on the guests using a single network interface ("host-only" network mode/"vboxnet0" host network interface) on VirtualBox.

IMPORTANT: Run all the commands as "root".

EXECUTE ON HOST

NOTE: We use a Manjaro (Arch based) host as a template. You may need adjustments and changes to other distros.

You need to copy the iptables template configuration file...

cp /etc/iptables/empty.rules /etc/iptables/iptables.rules

... so you can start the "iptables.service".

Enable and start "iptables.service"...

systemctl enable --now iptables.service

Enable IP forwarding...

sysctl -w net.ipv4.ip_forward=1
printf "net.ipv4.ip_forward=1\n" >> /etc/sysctl.d/30-ipforward.conf

Add the following iptables rules. This will forward packets through the host ("vboxnet0" host network interface) and to the internet...

iptables -t nat -I POSTROUTING -s 192.168.56.0/24 -j MASQUERADE
iptables -P FORWARD ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

IMPORTANT: The VirtualBox's "vboxnet0" host network interface should have IP (IPv4) "192.168.56.1" and subnet mask "255.255.255.0".

Save rules to iptables configuration and restart the service...

iptables-save > /etc/iptables/iptables.rules
systemctl restart iptables.service

Enable and start "dnsmasq" in host...

systemctl enable --now dnsmasq.service

NOTE: "dnsmasq" is a small caching DNS proxy and DHCP/TFTP server.

PLUS: Configure "dnsmasq" as a DHCP

Since the DHCP available in VirtualBox's "host-only" ("vboxnet0" host network interface) network mode does not inform the DNS and Gateway settings to the Guests, we have to use "dnsmasq" as a DHCP.

The presented scheme will start the "dnsmasq" service whenever the "vboxnet0" interface appears and stop it when the interface disappears. It also allows a custom instance of "dnsmasq" service for the "vboxnet0" network interface to run separately from a standard "dnsmasq" service instance.

Create dnsmasq-vboxnet0.service systemd service

TIP: The code below is a set of BASH commands that creates the file "/etc/systemd/system/dnsmasq-vboxnet0.service". The content of the cited file is contained between the delimiters "BEGIN" and "END".

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=dnsmasq for vboxnet0 - A lightweight DHCP and DNS server for VirtualBox host-only network
Documentation=man:dnsmasq(8)
After=network.target
Before=network-online.target nss-lookup.target
Wants=nss-lookup.target
[Service]
Type=simple
ExecStartPre=/usr/bin/dnsmasq --test --conf-file=/etc/dnsmasq-vboxnet0.conf
ExecStart=/usr/bin/dnsmasq -k --user=dnsmasq --pid-file --conf-file=/etc/dnsmasq-vboxnet0.conf
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
PrivateDevices=true
ProtectSystem=full
[Install]
WantedBy=multi-user.target
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/etc/systemd/system/dnsmasq-vboxnet0.service"

Configure dnsmasq-vboxnet0.service systemd service

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
# DHCP - VirtualBox Host-only Network
interface=vboxnet0
bind-interfaces
dhcp-range=192.168.56.10,192.168.56.100,12h  # DHCP range for the guests
dhcp-option=3,192.168.56.1  # Gateway option
dhcp-option=6,192.168.56.1  # DNS option
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/etc/dnsmasq-vboxnet0.conf"

Adjusting the AppArmor

If AppArmor is active (sudo aa-status), you will need to modify its profile to allow dnsmasq access to the custom configuration file.

To adjust the AppArmor profile for "dnsmasq" to allow it access to the new configuration file...

sed -i '/\/etc\/dnsmasq\.conf r,/i \  /etc/dnsmasq-vboxnet0.conf r,' /etc/apparmor.d/usr.sbin.dnsmasq
apparmor_parser -r /etc/apparmor.d/usr.sbin.dnsmasq

To reload the AppArmor profile to apply the new rules...

apparmor_parser -r /etc/apparmor.d/usr.sbin.dnsmasq

Create dnsmasq_check_vboxnet0.sh to check the vboxnet0 interface

The script below checks if the "vboxnet0" interface is available and ready for the custom instance of "dnsmasq" service to bind to it.

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
#!/bin/bash
if ip link show vboxnet0 | grep -q "state UP"; then
    systemctl start dnsmasq-vboxnet0.service
else
    systemctl stop dnsmasq-vboxnet0.service
fi
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/usr/local/bin/dnsmasq_check_vboxnet0.sh"

Make the script executable...

chmod +x /usr/local/bin/dnsmasq_check_vboxnet0.sh

Create the dnsmasq-check-vboxnet0.service systemd service

The service below just runs the "dnsmasq_check_vboxnet0.sh" script.

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=Check vboxnet0 interface state and start/stop dnsmasq
[Service]
Type=oneshot
ExecStart=/usr/local/bin/dnsmasq_check_vboxnet0.sh
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/etc/systemd/system/dnsmasq-check-vboxnet0.service"

Create the dnsmasq-check-vboxnet0.timer systemd timer

The "dnsmasq-check-vboxnet0.timer" systemd timer runs the "dnsmasq-check-vboxnet0.service" systemd service every 20 seconds ("OnUnitActiveSec"), starting after 30 seconds ("OnBootSec") of the OS boot.

read -r -d '' FILE_CONTENT << 'HEREDOC'
BEGIN
[Unit]
Description=Periodically check if vboxnet0 interface is up and start/stop dnsmasq
[Timer]
OnBootSec=30s
OnUnitActiveSec=20s
[Install]
WantedBy=timers.target
END
HEREDOC
echo -n "${FILE_CONTENT:6:-3}" > "/etc/systemd/system/dnsmasq-check-vboxnet0.timer"

Stop and disable "dnsmasq.service"...

systemctl disable --now dnsmasq.service

NOTE: As already informed, the configuration created allows the "dnsmasq-vboxnet0.service" service to run alongside the "dnsmasq.service" standard service. However, for practical reasons we are disabling the "dnsmasq.service" standard service.

IMPORTANT: Disable the VirtualBox's DHCP server for the "vboxnet0" host network interface.

Enable and start "dnsmasq-check-vboxnet0.timer"...

systemctl enable --now dnsmasq-check-vboxnet0.timer

EXECUTE ON GUEST

NOTE: We use a CentOS 7 guest as a template. You may need adjustments and changes to other distros.

Configure the network interface according to the model...

NOTE: The network configuration file is in the "/etc/sysconfig/network-scripts/" folder path.

BOOTPROTO=static
DEVICE=<NETWORK_INTERFACE_NAME>
DNS1=<HOST-ONLY_HOST_IP>
GATEWAY=<HOST-ONLY_HOST_IP>
IPADDR=<HOST-ONLY_GUEST_IP>
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=

Eg.:

BOOTPROTO=static
DEVICE=eno16777736
DNS1=192.168.56.1
GATEWAY=192.168.56.1
IPADDR=192.168.56.101
IPV6INIT=NO
NETMASK=255.255.255.0
NM_CONTROLLED=yes
ONBOOT=yes
TYPE=Ethernet
USERCTL=NO
ZONE=

Restart the network service...

systemctl restart network.service

To test...

curl http://www.google.com