search

NixOS / nixops

NixOps is a tool for deploying to NixOS machines in a network or cloud.
https://nixos.org/nixops
GNU Lesser General Public License v3.0
1.84k stars 363 forks source link

Forwarding traffic to a VirtualBox logical machine #734

Open dsferruzza opened 7 years ago

dsferruzza commented 7 years ago

Hi!

I have created a NixOps network that contains a single logical machine. The network is deployed using the VirtualBox backend and the logical machine runs a web server. If I get the logical machine's IP from nixops info (let's say 192.168.56.101) and do curl -v 192.168.56.101 from the host machine, the web server responds as expected.

Because I only have 1 public IP address (which is used by the host; let's say 1.2.3.4) I want to be able to forward traffic from a given port of my host to another port of my logical machine.

I am struggling with 2 problems here:

  1. I guess the IP address of the logical machine is variable. But the only way I know to find it is to run nixops info and read it... I might need something more computer-friendly if I want to setup some firewall rules to send traffic to it.
  2. I don't know how to actually forward the traffic from (let's say) 1.2.3.4:80 to 192.168.56.101:80. I tried to use networking.nat.forwardPorts with no success...
    • If I start a Python simple web server on the host, I can reach it from the Internet
    • I can reach my web server in the logical machine from the host machine
    • But I can't reach my web server in the logical machine from the Internet

Do you have any idea on how to solve this?

Bsami commented 5 years ago

In case someone is still looking for a way to achieve this, Nixops supports passing extra VBoxManage modifyvm commands via the vmFlags parameter (defined here and here) which can be used to define the port forwarding rules.

According to the VirtualBox manual, the Vbox machines are by default created with a network interface of type NAT attached to the network interface controller number 1 nic1 and it will by default get assigned the ip address 10.0.2.15 if the Vbox NAT engine default configuration wasn't altered. So you can directly define your port forwarding rules without having to create and to configure a new networking interface of type NAT.

I was able to configure port forwarding and to NAT some ports from the host physical machine to the guest logical VirtualBox machine by updating my deployment's nix expression as following :

deployment.virtualbox = {
      headless = true;
      vcpu = 2;
      memorySize = 2048;
      disks.disk1.size = 40000;
      vmFlags = [
        "--natpf1" "ssh,tcp,1.2.3.4,3322,,22"
        "--natpf1" "http,tcp,1.2.3.4,3380,,80"
        "--natpf1" "https,tcp,1.2.3.4,33443,,443"
      ];
    };

In the above example, in the rule named ssh, all TCP traffic arriving on port 3322 on the host interface with ip address 1.2.3.4will be forwarded to port 22 in the guest (the guest ip address is not mandatory here and it wasn't mentioned in the rule to allow the VBoxManage utility to dynamically adjust it)

There are some limitations in using NAT interfaces and port forwarding. Such as the impossibility to forward host ports below 1024 (check section 6.3.3 in the VirtualBox user manual) so for example the rule "forward-ssh,1.2.3.4,22,,22" which is supposed to make the host accept all TCP traffic on port 22 and forward it to the guest on port 22 will not work !

Also, you may want to enable the host ports you used in your port forwarding rules in your firewall in case you are using a firewall.

nixos-discourse commented 3 years ago

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nixops-how-to-configure-network/11947/2