7

My Ubuntu 12.04 (precise) laptop has three network interfaces:

  1. eth0: wired interface sometimes connected to the Internet
  2. wlan0: wireless interface sometimes connected to the Internet
  3. vboxnet0: wired interface (actually a VirtualBox virtual interface) connected to another computer (actually a VirtualBox virtual machine with networking in host-only mode)

I'd like to use iptables to set up NAT/IP masquerading to share whichever Internet connection is up (preferring the wired if both are up) with the other computer.

The following works when eth0 is plugged in:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward &&
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE &&
sudo iptables -A FORWARD -i eth0 -o vboxnet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -A FORWARD -i vboxnet0 -o eth0 -j ACCEPT

If I switch from wired to wireless, this obviously stops working.

I tried:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward &&
sudo iptables -t nat -A POSTROUTING -o '!vboxnet0' -j MASQUERADE &&
sudo iptables -A FORWARD -i '!vboxnet0' -o vboxnet0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT &&
sudo iptables -A FORWARD -i vboxnet0 -o '!vboxnet0' -j ACCEPT

but it did not work. I could try to do some Network Manager scripts to change the iptables rules whenever an interfaces goes up or down, but I figured it would be possible without jumping through such hoops.

Any suggestions?

Improve this question

1 Answer 1

Reset to default
4

Simple

Here's a very simple iptables ruleset that masquerades everything. This one works for many simpler setups. It won't work if the box is working as a full-blown router — it has a potentially nasty habit of NATting all traffic that leaves your computer.

iptables -A POSTROUTING -o eth+ -t nat -j MASQUERADE
iptables -A POSTROUTING -o wlan+ -t nat -j MASQUERADE

Full

If the simple solution fails to work, or if your configuration is more complex, this ruleset might help:

NATIF='vboxnet+'
MARK=1
iptables -A PREROUTING -t mangle -i $NATIF -j MARK --set-mark $MARK
iptables -A POSTROUTING -o eth+ -t nat -m mark --mark $MARK -j MASQUERADE
iptables -A POSTROUTING -o wlan+ -t nat -m mark --mark $MARK -j MASQUERADE

It marks packets coming in through any vboxnet* interface, then, later, masquerades (SNAT) any packets going out of eth* or wlan* with the mark set.

Also…

In addition to the iptables rules, you'll need to turn your host computer into a router by enabling packet forwarding. Put:

net.ipv4.ip_forward=1

in /etc/sysctl.conf, then say

sudo sysctl -p /etc/sysctl.conf.

Alternatively:

echo 1 | sudo tee /proc/sys/net/ipv4_ip_forward

The guest must also have a default route that gateways packets through the host's external interfaces (and for this, chances are host-only mode just won't work). Check its routing table (this depends on the guest OS).

Also, install wireshark or tshark and use them to examine packets. There's no better way to solve generic networking issues like this one.

Personally, I'd suggest changing the guest to use bridged mode networking and making available to it both of the host's interfaces. Then it can connect on its own, using the DHCP service on your router to get a local address on its own. No NAT needed.

Improve this answer
2
  • I'll update it with the simpler solution, but I'd rather keep both if you don't mind. The mark-less (sic) method works fine for many simple configurations, but fails insidiously in more complex cases. This is how I first started using it, after all. :) Commented May 22, 2012 at 21:10
  • 1
    shouldn't $MASK be $MARK? Commented May 23, 2012 at 17:55

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.