NAT loopback with virtualbox not working

[XL-Reaper]

Hi,

I have a problem with my server & virtual server setup.

I have one linux server with 2 IPs from my provider, the provider does not alllow different MAC addresses on the switch, so I have to use NAT.

On my server there's virtualbox running with am Ubuntu virtual machine inside.
This machine is connected via a host-only network to the host.

So the host looks like this:

eth0 inet addr:81.169.xxx.xxx
eth0:1 inet addr:85.214.xxx.xxx
vboxnet0 inet addr:192.168.56.1

On the virtual client like this:

eth0 inet addr:192.168.56.101


On my host I have the following iptables setup:

Code:

EXTIF="eth0" #External
INTIP="192.168.56.101" #Internal VM 
EXTIP2="85.214.xxx.xxx" # External IP 2

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

iptables -t nat -A PREROUTING -d $EXTIP2 -j DNAT --to $INTIP
iptables -t nat -A OUTPUT -d $EXTIP2 -j DNAT --to $INTIP

This is working okay, the VM client can reach the internet and I can reach the services via the second IP of the host.
One thing isn't working though: The client cannot reach itsself via the internet IP
This is quite annoying, because some services try to lookup themselves through the internet IP and of course fail.

What can I do to make this work?
I've read in many tutorials that for this "nat loopback" you need to modify the source address to the external interface, so I tried this:

iptables -t nat -A POSTROUTING -s $INTIP -d $INTIP -j SNAT --to $EXTIP2

but this is not working either

Any help would be greatly appreciated!

[Kloschüssel]

I believe the problem lies in the fact that you're using a "HOST ONLY" connection, instead of doing NAT. The "host-only adapter" is probably unseen as a network interface by iptables and the kernel, and thus packets won't be routed.

[XL-Reaper]

But the routing is working fine, just the loopback is not

[Kloschüssel]

I'm quite unsure what a "nat loopback" should be. I believe you want to access your virtual host by applying net address translation to incoming packets on your host computer to your virtual host (and back). This said, your hosting computer behaves like a router with NATed connections: it translates request from the outside (internet) to a host within its immediate subnet.

Since "nat loopback" is not a term that makes sense to me (unless you are trying to apply NAT to a loopback device - which does not make sense at all), please correct me if I'm wrong and point me to your resources?

[XL-Reaper]

It can also be called "nat reflection".
It is like I said this: You can reach your NATed host from itsself via the NATed IP.

[Kloschüssel]

I was afraid you want to do this. My advice is short and simple:

Work around the problem by accessing the host/s by hostnames (domain names) and make the dns more intelligent. I.e.:

If the virtual should be accessible from the public through "virtual.host.com", the dns resolution from outside should yield the public IP, the dns resolution from the virtual host yields something like 127.0.0.1 and finally the dns resolution from "neighboured" virtual hosts should yield an IP that enables the most direct connection.

I have already wrapped my head around that problem in the past for more than two times and couldn't get it to work because the firewall configuration is far away from being trivial. If you're able to do it, share your wisdom with the world!