[ale] DNAT/SNAT for VMware WinXP Guest?

James P. Kinney III jkinney at localnetsolutions.com
Tue Jan 8 11:04:37 EST 2008


On Tue, 2008-01-08 at 10:32 -0500, Jeff Hubbs wrote:
> Jim -
> 
> It occurs to me that the host OS shouldn't also be trying to talk over 
> its eth2.  Would I deal with that by removing its routes from the 
> routing table, and if so, how would I institutionalize that at boot time 
> when eth2 is brought up with DHCP?
Set the default gateway to be on NIC1.

You will need to discover the IP address of nic2 to make this work. DNAT
and SNAT work on IP only.

You may want to use a few static routes for the vmware stuff to force
the traffic down nic2.
> 
> By the way - is there any reason why I couldn't just use eth0, or is 
> SNAT/DNAT not "special" enough to avoid the switch-config problem I'm 
> having?

I think it would be easiest to use a virtual interface (eth0:1)  and a
switch between NIC1 and the hosting ports. Then you can have rules of:

iptables -A FORWARD -i vmnet1 -d ! <network>/<netmask> -j ACCEPT
iptables -A POSTROUTING -t nat -s <vmnetIP> -j SNAT --to-source
<eth0:1-IP>

I'm not sure on the vmware vmnetX process, i.e. if there is a virtual
interface that "receives" the connection on the Linux side or is that
the vmnet interface. Haven't looked at it in a while.
> 
> 
> 
> James P. Kinney III wrote:
> > iptables -A POSTROUTING -t nat -s <vmnet1 IP> -j SNAT --to-source <NIC2
> > IP>
> >
> > iptables -A PREROUTING -t nat -d <NIC2 IP> -j DNAT --to-destination
> > <vmnet1 IP>
> >
> > iptables -A FORWARD -i <nic2> -j ACCEPT
> > iptables -A fORWARD -o <nic2> -j ACCEPT
> >
> > NOTE: no security AT ALL in this setup. Add specific ports for tighter
> > access control and make default policy to DROP.
> >
> > NIC2 has an externally viewable IP (for the hosted environment). Local
> > machine handles routing transparently. Set default route for NIC2 to
> > that provided.
> > On Tue, 2008-01-08 at 10:03 -0500, Jeff Hubbs wrote:
> >   
> >> I'm in a network environment where the Ethernet switch won't accept 
> >> having more than one MAC address appearing on a single drop.  This means 
> >> that putting an Ethernet switch on a drop in order to hook up more than 
> >> one machine per drop won't work.
> >>
> >> This also breaks VMware guests when bridged networking is used for the 
> >> VMware guest.  NAT for the VMware guest *does* work, but if you need 
> >> Windows networking stuff (shares, logins, etc) like a WinXP guest would, 
> >> it won't work through NAT. 
> >>
> >> I've been told that if I use host-only networking on the VMware guest - 
> >> and I've gotten it to work such that the host's VMware-generated 
> >> "vmnet1" interface and the WinXP guest can see each other - I could use 
> >> DNAT and possibly also SNAT to pass traffic from vmnet1 to an extra NIC 
> >> in the host, eth2, and cable eth2 to a separate drop.  Windows 
> >> authentication, network browsing, etc. should then work.  I understand 
> >> that I would have to remove anything from the routing table that would 
> >> involve eth2, basically "disconnecting" it from the host OS. 
> >>
> >> Is this at all possible?  If so, what would the iptables invocation look 
> >> like?
> >>
> >> _______________________________________________
> >> Ale mailing list
> >> Ale at ale.org
> >> http://www.ale.org/mailman/listinfo/ale
> >>
> >>     
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
> 
-- 
James P. Kinney III          
CEO & Director of Engineering 
Local Net Solutions,LLC        
770-493-8244                    
http://www.localnetsolutions.com

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney at localnetsolutions.com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the Ale mailing list