Windows: guest_redirect_dns checking for iptables

[proteansec]

The corresponding Vagrantfile is as follows, where the config.landrush.guest_redirect_dns has been set to true, which uses iptables to redirect traffic in the VM. However, iptables are specific to Unix world and are not being used in Windows guest, which is why the functionality should be modified for Windows guest VMs.

create a private network

config.vm.network :private_network, ip: "172.28.128.5" config.vm.communicator = "winrm" config.winrm.username = 'vagrant' config.winrm.password = 'vagrant' config.vm.guest = :windows

enable landrush DNS

if Vagrant.has_plugin?("landrush") config.landrush.enabled = true config.landrush.guest_redirect_dns = true config.landrush.host_redirect_dns= false config.landrush.host 'win8x86-enterprise', '172.28.128.5' end

The error I get when running vagrant up is the following, which clearly states the Windows guest doesn't have the iptables_installed\ functionality.

==> vagrant-win8x86-enterprise: Running 'pre-boot' VM customizations... ==> vagrant-win8x86-enterprise: Booting VM... ==> vagrant-win8x86-enterprise: Waiting for machine to boot. This may take a few minutes... vagrant-win8x86-enterprise: WinRM address: 127.0.0.1:5985 vagrant-win8x86-enterprise: WinRM username: vagrant vagrant-win8x86-enterprise: WinRM execution_time_limit: PT2H vagrant-win8x86-enterprise: WinRM transport: negotiate

==> vagrant-win8x86-enterprise: Machine booted and ready! Vagrant attempted to execute the capability 'iptables_installed' on the detect guest OS 'windows', but the guest doesn't support that capability. This capability is required for your configuration of Vagrant. Please either reconfigure Vagrant to avoid this capability or fix the issue by creating the capability.

This can be avoided by setting the following options, however then we have to manually set the DNS settings inside the VM (for the appropriate network interface).

config.landrush.guest_redirect_dns = false

We should add appropriate CMD (by using ssh communicator) or Powershell (by using winrm communicator) command which set up the appropriate DNS settings in the Windows guest.

[hferentschik]

Right, Windows guests are not really supported. At the very least the guest DNS configuration won't work, due to the use of iptables. I am not familiar with winrm. Does it have support for changing DNS settings? Or is it just a way to communicate with the VM in order to execute administration task.

My experience is that DNS configuration on Windows is not trivial. Do you have any concrete steps in mind?

[proteansec]

WinRM is a way to communicate with the VM in order to execute arbitrary commands - there is basically a WinRM service which is scheduled to come up when the Windows boots, which is why vagrant is waiting for WinRM to come up prior to executing those command (it shouldn't take long into the booting process).

Once the WinRM is up and accessible, vagrant can execute any number of commands. We should execute the following commands (just an example - haven't tried it):

To obtain the interfaces:

> # netsh interface show interface

Then we need to parse the output of that command to obtain the names of the interfaces (when not set to default values) and set the DNS address with the following.

> # netsh interface ipv4 add dnsserver "Ethernet" address=172.28.128.1 index=1

Can you pinpoint the place in the code where the commands are run in order to try to change the DNS settings (for Windows that is). I'm not that familiar with Ruby, so a little help is needed!

[hferentschik]

Can you pinpoint the place in the code where the commands are run in order to try to change the DNS settings

There are several. Supporting Windows guests means to add OS type checks at various places. The first thing you ran into was the capability to check whether iptables is installed - install_prerequisites.rb. This should not happen for Windows. Then there are various other guest capabilities which deal with installing and configuring iptables - guest capability folder

Most importantly one would needs a Windows _redirectdns guest capability which then is called in RedirectDns

So definitely possible, just needs some work. Something you are interested in? I am happy to give some guidance ;-)