| 1 | <?xml version='1.0' encoding='UTF-8'?>
|
|---|
| 2 | <!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
|
|---|
| 3 | <topic xml:lang="en-us" id="natforward">
|
|---|
| 4 | <title>Configuring Port Forwarding with NAT</title>
|
|---|
| 5 |
|
|---|
| 6 | <body>
|
|---|
| 7 | <p>As the virtual machine is connected to a private network internal to <ph
|
|---|
| 8 | conkeyref="vbox-conkeyref-phrases/product-name"/> and invisible to the host, network services on the guest are
|
|---|
| 9 | not accessible to the host machine or to other computers on the same network. However, like a physical router, <ph
|
|---|
| 10 | conkeyref="vbox-conkeyref-phrases/product-name"/> can make selected services available to the world outside the
|
|---|
| 11 | guest through <i>port forwarding</i>. This means that <ph conkeyref="vbox-conkeyref-phrases/product-name"/>
|
|---|
| 12 | listens to certain ports on the host and resends all packets which arrive there to the guest, on the same or a
|
|---|
| 13 | different port. </p>
|
|---|
| 14 | <p>To an application on the host or other physical or virtual machines on the network, it looks as though the
|
|---|
| 15 | service being proxied is actually running on the host. This also means that you cannot run the same service on the
|
|---|
| 16 | same ports on the host. However, you still gain the advantages of running the service in a virtual machine. For
|
|---|
| 17 | example, services on the host machine or on other virtual machines cannot be compromised or crashed by a
|
|---|
| 18 | vulnerability or a bug in the service, and the service can run in a different operating system than the host
|
|---|
| 19 | system. </p>
|
|---|
| 20 | <p>To configure port forwarding you can use the graphical <b outputclass="bold">Port Forwarding</b> editor which can
|
|---|
| 21 | be found in the <b outputclass="bold">Network</b> settings dialog for network adaptors configured to use NAT.
|
|---|
| 22 | Here, you can map host ports to guest ports to allow network traffic to be routed to a specific port in the guest. </p>
|
|---|
| 23 | <p>Alternatively, the command line tool <userinput>VBoxManage</userinput> can be used. See <xref
|
|---|
| 24 | href="vboxmanage-modifyvm.dita"/>. </p>
|
|---|
| 25 | <p>You will need to know which ports on the guest the service uses and to decide which ports to use on the host. You
|
|---|
| 26 | may want to use the same ports on the guest and on the host. You can use any ports on the host which are not
|
|---|
| 27 | already in use by a service. For example, to set up incoming NAT connections to an <userinput>ssh</userinput>
|
|---|
| 28 | server in the guest, use the following command: </p>
|
|---|
| 29 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --nat-pf1 "guestssh,tcp,,2222,,22"</pre>
|
|---|
| 30 | <p>In the above example, all TCP traffic arriving on port 2222 on any host interface will be forwarded to port 22 in
|
|---|
| 31 | the guest. The protocol name <codeph>tcp</codeph> is a mandatory attribute defining which protocol should be used
|
|---|
| 32 | for forwarding, <codeph>udp</codeph> could also be used. The name <codeph>guestssh</codeph> is purely descriptive
|
|---|
| 33 | and will be auto-generated if omitted. The number after <codeph>--nat-pf</codeph> denotes the network card, as
|
|---|
| 34 | with other <userinput>VBoxManage</userinput> commands. </p>
|
|---|
| 35 | <p>To remove this forwarding rule, use the following command: </p>
|
|---|
| 36 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 delete "guestssh"</pre>
|
|---|
| 37 | <p>If for some reason the guest uses a static assigned IP address not leased from the built-in DHCP server, it is
|
|---|
| 38 | required to specify the guest IP when registering the forwarding rule, as follows: </p>
|
|---|
| 39 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,,2222,10.0.2.19,22"</pre>
|
|---|
| 40 | <p>This example is identical to the previous one, except that the NAT engine is being told that the guest can be
|
|---|
| 41 | found at the 10.0.2.19 address. </p>
|
|---|
| 42 | <p>To forward <i>all</i> incoming traffic from a specific host interface to the guest, specify the IP of that host
|
|---|
| 43 | interface as follows: </p>
|
|---|
| 44 | <pre xml:space="preserve">VBoxManage modifyvm "VM name" --natpf1 "guestssh,tcp,127.0.0.1,2222,,22"</pre>
|
|---|
| 45 | <p>This example forwards all TCP traffic arriving on the localhost interface at 127.0.0.1 through port 2222 to port
|
|---|
| 46 | 22 in the guest. </p>
|
|---|
| 47 | <p>It is possible to configure incoming NAT connections while the VM is running, see <xref
|
|---|
| 48 | href="vboxmanage-controlvm.dita"/>. </p>
|
|---|
| 49 | </body>
|
|---|
| 50 |
|
|---|
| 51 | </topic>
|
|---|
