No, the host acts as a NAT router and none of the VM ports are
accessible from "outside".
Also, seen from the outside, all network traffic appear to be from/to
the host.
To provide services in that setup, you'll need to set up "DNAT"
forwarding incoming packets for the service ports. I.e., let the host
forward traffic incoming on the selected ports to the VM, for it to
service it. E.g. to forward incoming tcp port 80 to the VM (assuming
it's at 10.0.2.2)::
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dports 80 \
-j DNAT --to-destination 10.0.2.2
By that rule, incoming tcp packets destined for port 80 are forwarded
to the VM. The remote computer should thus connect using the host IP
(assuming that's reachable from outside) and it will forward the
traffic to the VM and its port 80 service. Return packets from the VM
will be NAT-ed like before, so the remote computer is unaware of the
internal forwarding.
If your host can have a second IP, you can also use the DNAT setup for
all that traffic, and then the remote computer will "see" the VM as
any another host.
Ralph.
On Sun, Aug 20, 2023 at 12:59:14PM +0200, Mario Marietto wrote:
> Ok. It worked. Can I ask you if using this method,freebsd is reachable from
> outside its network ? If for example I want to start a web server inside
> FreeBSD,can I reach the web page that it hosts if I try to connect to it
> from my workstation ? I have some doubts that I can because the IP assigned
> to it seems to be private (10.0.2.1) :
>
> tap0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> inet 10.0.2.1 netmask 255.255.255.0 broadcast 0.0.0.0
> ether 2a:00:9d:a5:77:07 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
>
> On Sun, Aug 20, 2023 at 12:51 PM Ralph Ronnquist <rrq@???> wrote:
>
> > Should be "tap0" not "eth0" (of course). Sorry about that.
> >
> > On Sun, Aug 20, 2023 at 08:47:48PM +1000, Ralph Ronnquist wrote:
> > > Ah, I forgot the "bring it up" command; you could verify this with
> > >
> > > # ipconfig -a
> > >
> > > That will present all interfaces; those that are down as well as those
> > > that are up.
> > >
> > > The additional command is:
> > >
> > > # ip link set dev eth0 up
> > >
> > > .. usually to be done after adding it and setting its IP address, but
> > > can be done after IP configuration as well.
> > >
> > > Ralph.
> > >
> > > You could verify beforhand with
> > >
> > > On Sun, Aug 20, 2023 at 12:27:30PM +0200, Mario Marietto wrote:
> > > > Finally,after a lot of kernel recompilations,I've been able to issue
> > all
> > > > the commands suggested some time ago by @Ralph Ronnquist without
> > getting
> > > > errors :
> > > >
> > > > # ip tuntap add tap0 mode tap
> > > > ok
> > > >
> > > > # ip address add 10.0.2.1/24 dev tap0
> > > > ok
> > > >
> > > > # sysctl net.ipv4.ip_forward=1
> > > > ok
> > > >
> > > > # net.ipv4.ip_forward = 1
> > > > ok
> > > >
> > > > # iptables -t nat -A POSTROUTING -o mlan0 -j MASQUERADE
> > > > ok
> > > >
> > > > Now,the problem is that I don't see any tap0 interface :
> > > >
> > > > # ifconfig
> > > >
> > > > docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> > > > inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
> > > > ether 02:42:c9:04:eb:64 txqueuelen 0 (Ethernet)
> > > > RX packets 0 bytes 0 (0.0 B)
> > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > TX packets 0 bytes 0 (0.0 B)
> > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > >
> > > > lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> > > > inet 127.0.0.1 netmask 255.0.0.0
> > > > inet6 ::1 prefixlen 128 scopeid 0x10<host>
> > > > loop txqueuelen 1000 (Local Loopback)
> > > > RX packets 49 bytes 5414 (5.2 KiB)
> > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > TX packets 49 bytes 5414 (5.2 KiB)
> > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > >
> > > > mlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> > > > inet 192.168.1.6 netmask 255.255.255.0 broadcast 192.168.1.255
> > > > inet6 fe80::a200:9c1a:7783:969f prefixlen 64 scopeid
> > 0x20<link>
> > > > ether 60:21:c0:e9:44:63 txqueuelen 1000 (Ethernet)
> > > > RX packets 264 bytes 31934 (31.1 KiB)
> > > > RX errors 0 dropped 0 overruns 0 frame 0
> > > > TX packets 237 bytes 33545 (32.7 KiB)
> > > > TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > >
> > > > Is this normal ?
> > > >
> > > > On Thu, Aug 17, 2023 at 3:15 PM Mario Marietto <marietto2008@???
> > >
> > > > wrote:
> > > >
> > > > > Can someone help me,please,to understand how to fix it ?
> > > > >
> > > > > loziomario <https://www.reddit.com/user/loziomario/> :
> > > > >
> > > > > root@devuan:~# nft add table nat
> > > > >
> > > > > root@devuan:~# nft 'add chain nat postrouting { type nat hook
> > postrouting
> > > > > priority 100 ; }'
> > > > >
> > > > > Error: Could not process rule: No such file or directory
> > > > >
> > > > > deeseearr <https://www.reddit.com/user/deeseearr/> :
> > > > >
> > > > > Your table has no family.
> > > > >
> > > > > You are also trying to add a chain to a table called "postrouting"
> > in the
> > > > > "nat" family, which does not exist.
> > > > >
> > > > > All of your other rules are part of the "ip" family so this one
> > should be
> > > > > roo.
> > > > >
> > > > > On Wed, Aug 16, 2023 at 9:33 PM Mario Marietto <
> > marietto2008@???>
> > > > > wrote:
> > > > >
> > > > >> I've created a post on Reddit :
> > > > >>
> > > > >>
> > https://www.reddit.com/r/devuan/comments/15swwij/neither_iptables_nor_nftable_are_working_for_me/
> > > > >>
> > > > >> where I tried to explain what my problem is. Unfortunately no one
> > replied right now.
> > > > >>
> > > > >>
> > > > >> On Wed, Aug 16, 2023 at 7:13 PM Mario Marietto <
> > marietto2008@???>
> > > > >> wrote:
> > > > >>
> > > > >>> They also suggest to check these kernel parameters :
> > > > >>>
> > > > >>> root@devuan:~# grep CONFIG_NF_TABLES_INET= /boot/config-`uname -r`
> > > > >>> CONFIG_NF_TABLES_INET=y
> > > > >>>
> > > > >>> root@devuan:~# grep CONFIG_NFT_COUNTER= /boot/config-`uname -r`
> > > > >>> CONFIG_NFT_COUNTER=y
> > > > >>>
> > > > >>> root@devuan:~# grep CONFIG_NFT_OBJREF= /boot/config-`uname -r`
> > > > >>> CONFIG_NFT_OBJREF=y
> > > > >>>
> > > > >>> but they seem correct,right ?
> > > > >>>
> > > > >>>
> > > > >>> On Wed, Aug 16, 2023 at 7:04 PM Mario Marietto <
> > marietto2008@???>
> > > > >>> wrote:
> > > > >>>
> > > > >>>> Reading from here :
> > https://unix.stackexchange.com/questions/537912/nftables-rule-no-such-file-or-directory-error
> > > > >>>>
> > > > >>>> I tried to do the following :
> > > > >>>>
> > > > >>>> root@devuan:~# nft add table ip filter
> > > > >>>>
> > > > >>>> root@devuan:~# nft add chain ip filter INPUT { type filter hook
> > input priority 0 \; } # create chain
> > > > >>>> root@devuan:~# nft add rule ip nat POSTROUTING oifname "mlan0"
> > counter masquerade
> > > > >>>> Error: Could not process rule: No such file or directory
> > > > >>>> add rule ip nat POSTROUTING oifname mlan0 counter masquerade
> > > > >>>> ^^^
> > > > >>>>
> > > > >>>> root@devuan:~# nft list ruleset
> > > > >>>> table ip filter {
> > > > >>>> chain INPUT {
> > > > >>>> type filter hook input priority filter; policy
> > accept;
> > > > >>>> }
> > > > >>>> }
> > > > >>>>
> > > > >>>>
> > > > >>>>
> > > > >>>> On Wed, Aug 16, 2023 at 6:58 PM Mario Marietto <
> > marietto2008@???>
> > > > >>>> wrote:
> > > > >>>>
> > > > >>>>> root@devuan:~# iptables-translate -t nat -A POSTROUTING -o
> > eth0 -j
> > > > >>>>> MASQUERADE
> > > > >>>>> nft add rule ip nat POSTROUTING oifname "eth0" counter masquerade
> > > > >>>>>
> > > > >>>>> root@devuan:~# ifconfig
> > > > >>>>>
> > > > >>>>> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> > > > >>>>> inet 127.0.0.1 netmask 255.0.0.0
> > > > >>>>> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> > > > >>>>> loop txqueuelen 1000 (Local Loopback)
> > > > >>>>> RX packets 28 bytes 3449 (3.3 KiB)
> > > > >>>>> RX errors 0 dropped 0 overruns 0 frame 0
> > > > >>>>> TX packets 28 bytes 3449 (3.3 KiB)
> > > > >>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > >>>>>
> > > > >>>>> mlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> > > > >>>>> inet 192.168.1.6 netmask 255.255.255.0 broadcast
> > > > >>>>> 192.168.1.255
> > > > >>>>> inet6 fe80::47b1:6a1e:c9a8:5e73 prefixlen 64 scopeid
> > > > >>>>> 0x20<link>
> > > > >>>>> ether 50:22:c1:e9:44:63 txqueuelen 1000 (Ethernet)
> > > > >>>>> RX packets 656 bytes 59350 (57.9 KiB)
> > > > >>>>> RX errors 0 dropped 0 overruns 0 frame 0
> > > > >>>>> TX packets 351 bytes 35970 (35.1 KiB)
> > > > >>>>> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> > > > >>>>>
> > > > >>>>> root@devuan:~# nft add rule ip nat POSTROUTING oifname "mlan0"
> > > > >>>>> counter masquerade
> > > > >>>>>
> > > > >>>>> Error: Could not process rule: No such file or directory
> > > > >>>>> add rule ip nat POSTROUTING oifname mlan0 counter masquerade
> > > > >>>>> ^^^
> > > > >>>>>
> > > > >>>>>
> > > > >>>>>
> > > > >>>>> On Wed, Aug 16, 2023 at 1:03 PM wirelessduck--- via Dng <
> > > > >>>>> dng@???> wrote:
> > > > >>>>>
> > > > >>>>>>
> > > > >>>>>>
> > > > >>>>>> > On 16 Aug 2023, at 20:13, Mario Marietto <
> > marietto2008@???>
> > > > >>>>>> wrote:
> > > > >>>>>> >
> > > > >>>>>> >
> > > > >>>>>> > It's too much out of my knowledge. I'm not able to understand
> > > > >>>>>> what's the correct syntax to use.
> > > > >>>>>>
> > > > >>>>>> The manpage for iptables-translate says it takes the same
> > arguments
> > > > >>>>>> as iptables. You can try:
> > > > >>>>>>
> > > > >>>>>> iptables-translate -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> > > > >>>>>>
> > > > >>>>>> and that should output the equivalent nftables command. I don’t
> > have
> > > > >>>>>> a terminal here to try that myself right now.
> > > > >>>>>>
> > > > >>>>>> Tom
> > > > >>>>>> _______________________________________________
> > > > >>>>>> Dng mailing list
> > > > >>>>>> Dng@???
> > > > >>>>>> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> > > > >>>>>>
> > > > >>>>>
> > > > >>>>>
> > > > >>>>> --
> > > > >>>>> Mario.
> > > > >>>>>
> > > > >>>>
> > > > >>>>
> > > > >>>> --
> > > > >>>> Mario.
> > > > >>>>
> > > > >>>
> > > > >>>
> > > > >>> --
> > > > >>> Mario.
> > > > >>>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Mario.
> > > > >>
> > > > >
> > > > >
> > > > > --
> > > > > Mario.
> > > > >
> > > >
> > > >
> > > > --
> > > > Mario.
> > > _______________________________________________
> > > Dng mailing list
> > > Dng@???
> > > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> > _______________________________________________
> > Dng mailing list
> > Dng@???
> > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
> >
>
>
> --
> Mario.