| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="natforward">
|
|---|
| 4 | <title>Configuring Port Forwarding with NAT</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>
|
|---|
| 8 | As the virtual machine is connected to a private network
|
|---|
| 9 | internal to <ph conkeyref="vbox-conkeyref-phrases/product-name"/> and invisible to the host, network
|
|---|
| 10 | services on the guest are not accessible to the host machine or
|
|---|
| 11 | to other computers on the same network. However, like a physical
|
|---|
| 12 | router, <ph conkeyref="vbox-conkeyref-phrases/product-name"/> can make selected services available to
|
|---|
| 13 | the world outside the guest through <i>port
|
|---|
| 14 | forwarding</i>. This means that <ph conkeyref="vbox-conkeyref-phrases/product-name"/> listens to
|
|---|
| 15 | certain ports on the host and resends all packets which arrive
|
|---|
| 16 | there to the guest, on the same or a different port.
|
|---|
| 17 | </p>
|
|---|
| 18 | <p>
|
|---|
| 19 | To an application on the host or other physical or virtual
|
|---|
| 20 | machines on the network, it looks as though the service being
|
|---|
| 21 | proxied is actually running on the host. This also means that
|
|---|
| 22 | you cannot run the same service on the same ports on the host.
|
|---|
| 23 | However, you still gain the advantages of running the service in
|
|---|
| 24 | a virtual machine. For example, services on the host machine or
|
|---|
| 25 | on other virtual machines cannot be compromised or crashed by a
|
|---|
| 26 | vulnerability or a bug in the service, and the service can run
|
|---|
| 27 | in a different operating system than the host system.
|
|---|
| 28 | </p>
|
|---|
| 29 | <p>
|
|---|
| 30 | To configure port forwarding you can use the graphical
|
|---|
| 31 | <b outputclass="bold">Port Forwarding</b> editor which
|
|---|
| 32 | can be found in the <b outputclass="bold">Network</b>
|
|---|
| 33 | settings dialog for network adaptors configured to use NAT.
|
|---|
| 34 | Here, you can map host ports to guest ports to allow network
|
|---|
| 35 | traffic to be routed to a specific port in the guest.
|
|---|
| 36 | </p>
|
|---|
| 37 | <p>
|
|---|
| 38 | Alternatively, the command line tool <userinput>VBoxManage</userinput> can be used. See
|
|---|
| 39 | <xref href="vboxmanage-modifyvm.dita"/>.
|
|---|
| 40 | </p>
|
|---|
| 41 | <p>
|
|---|
| 42 | You will need to know which ports on the guest the service uses
|
|---|
| 43 | and to decide which ports to use on the host. You may want to
|
|---|
| 44 | use the same ports on the guest and on the host. You can use any
|
|---|
| 45 | ports on the host which are not already in use by a service. For
|
|---|
| 46 | example, to set up incoming NAT connections to an
|
|---|
| 47 | <userinput>ssh</userinput> server in the guest, use the following
|
|---|
| 48 | command:
|
|---|
| 49 | </p>
|
|---|
| 50 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --nat-pf1 "guestssh,tcp,,2222,,22"</pre>
|
|---|
| 51 | <p>
|
|---|
| 52 | In the above example, all TCP traffic arriving on port 2222 on
|
|---|
| 53 | any host interface will be forwarded to port 22 in the guest.
|
|---|
| 54 | The protocol name <codeph>tcp</codeph> is a mandatory
|
|---|
| 55 | attribute defining which protocol should be used for forwarding,
|
|---|
| 56 | <codeph>udp</codeph> could also be used. The name
|
|---|
| 57 | <codeph>guestssh</codeph> is purely descriptive and will be
|
|---|
| 58 | auto-generated if omitted. The number after
|
|---|
| 59 | <codeph>--nat-pf</codeph> denotes the network card, as with
|
|---|
| 60 | other <userinput>VBoxManage</userinput> commands.
|
|---|
| 61 | </p>
|
|---|
| 62 | <p>
|
|---|
| 63 | To remove this forwarding rule, use the following command:
|
|---|
| 64 | </p>
|
|---|
| 65 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</pre>
|
|---|
| 66 | <p>
|
|---|
| 67 | If for some reason the guest uses a static assigned IP address
|
|---|
| 68 | not leased from the built-in DHCP server, it is required to
|
|---|
| 69 | specify the guest IP when registering the forwarding rule, as
|
|---|
| 70 | follows:
|
|---|
| 71 | </p>
|
|---|
| 72 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</pre>
|
|---|
| 73 | <p>
|
|---|
| 74 | This example is identical to the previous one, except that the
|
|---|
| 75 | NAT engine is being told that the guest can be found at the
|
|---|
| 76 | 10.0.2.19 address.
|
|---|
| 77 | </p>
|
|---|
| 78 | <p>
|
|---|
| 79 | To forward <i>all</i> incoming traffic from a
|
|---|
| 80 | specific host interface to the guest, specify the IP of that
|
|---|
| 81 | host interface as follows:
|
|---|
| 82 | </p>
|
|---|
| 83 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</pre>
|
|---|
| 84 | <p>
|
|---|
| 85 | This example forwards all TCP traffic arriving on the localhost
|
|---|
| 86 | interface at 127.0.0.1 through port 2222 to port 22 in the
|
|---|
| 87 | guest.
|
|---|
| 88 | </p>
|
|---|
| 89 | <p>
|
|---|
| 90 | It is possible to configure incoming NAT connections while the VM is running, see <xref
|
|---|
| 91 | href="vboxmanage-controlvm.dita"/>.
|
|---|
| 92 | </p>
|
|---|
| 93 | </body>
|
|---|
| 94 |
|
|---|
| 95 | </topic>
|
|---|
