[ale] DNAT/SNAT for VMware WinXP Guest?

Jeff Hubbs hbbs at comcast.net
Tue Jan 8 10:32:45 EST 2008 

Jim -

It occurs to me that the host OS shouldn't also be trying to talk over 
its eth2.  Would I deal with that by removing its routes from the 
routing table, and if so, how would I institutionalize that at boot time 
when eth2 is brought up with DHCP?

By the way - is there any reason why I couldn't just use eth0, or is 
SNAT/DNAT not "special" enough to avoid the switch-config problem I'm 
having?



James P. Kinney III wrote:
> iptables -A POSTROUTING -t nat -s <vmnet1 IP> -j SNAT --to-source <NIC2
> IP>
>
> iptables -A PREROUTING -t nat -d <NIC2 IP> -j DNAT --to-destination
> <vmnet1 IP>
>
> iptables -A FORWARD -i <nic2> -j ACCEPT
> iptables -A fORWARD -o <nic2> -j ACCEPT
>
> NOTE: no security AT ALL in this setup. Add specific ports for tighter
> access control and make default policy to DROP.
>
> NIC2 has an externally viewable IP (for the hosted environment). Local
> machine handles routing transparently. Set default route for NIC2 to
> that provided.
> On Tue, 2008-01-08 at 10:03 -0500, Jeff Hubbs wrote:
>   
>> I'm in a network environment where the Ethernet switch won't accept 
>> having more than one MAC address appearing on a single drop.  This means 
>> that putting an Ethernet switch on a drop in order to hook up more than 
>> one machine per drop won't work.
>>
>> This also breaks VMware guests when bridged networking is used for the 
>> VMware guest.  NAT for the VMware guest *does* work, but if you need 
>> Windows networking stuff (shares, logins, etc) like a WinXP guest would, 
>> it won't work through NAT. 
>>
>> I've been told that if I use host-only networking on the VMware guest - 
>> and I've gotten it to work such that the host's VMware-generated 
>> "vmnet1" interface and the WinXP guest can see each other - I could use 
>> DNAT and possibly also SNAT to pass traffic from vmnet1 to an extra NIC 
>> in the host, eth2, and cable eth2 to a separate drop.  Windows 
>> authentication, network browsing, etc. should then work.  I understand 
>> that I would have to remove anything from the routing table that would 
>> involve eth2, basically "disconnecting" it from the host OS. 
>>
>> Is this at all possible?  If so, what would the iptables invocation look 
>> like?
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://www.ale.org/mailman/listinfo/ale
>>
>>

More information about the Ale mailing list