CentOS and VirtualBox NAT Port Forwarding
In my recent experiments, and while preparing for my next post, I stumbled on problems when trying to forward ports of my CentOS Guest VM to my Mac OS based browser. For some reason, even if Port forwarding was properly configured, like so :
…my Host system browser could not connect to services on my VM, with the exception of SSH. The solution was simple, CentOS comes with default netfilters rules built-in. These rules allow outgoing trafic, and incoming SSH requests only. The firewall configuration needed to be changed. The simplest way to do so is to disable the firewall completely:
# Run as root ! # Flush (discard) all rules iptables -F # Save configuration permanently /sbin/service iptables save
While this may be very good for VM usage, I don’t like to disable a whole firewall (I feel unclean afterwards when I do). Here is a more sensible solution, that could be a starting point for a more solid security setup :
#Again... as root ! #See config iptables -L #save config iptables-save > /root/iptables-save.txt #edit config (see below for example) vim /root/iptable-save.txt # flush + load config iptables-restore < /root/iptables-save.txt # Validate iptables -L # Save for good /sbin/service iptables save
For reference, here is my iptable-save.txt file:
# Generated by iptables-save v1.4.7 on Thu Jul 24 08:28:03 2014 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [471:1082248] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 7222 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT -A INPUT -p tcp -m tcp --dport 8777 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Thu Jul 24 08:28:03 2014
It should work immediately, but to test the “iptables-restore”, you should reboot. Main reference: https://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-iptables-saving.html http://wiki.centos.org/HowTos/Network/IPTables