BindIP does not work for inbound NAT port-forwarded connections

[Jason Roysdon]

Linux HostOS with multiple secondary IPs bound.

1.1.1.x are public/outside addresses in this example.

eth0 - primary hostos IP 1.1.1.1

eth0:2 - secondary hostos IP 1.1.1.2

eth0:3 - secondary hostos IP 1.1.1.3

Hostos has tcp/22 bound specifically to 1.1.1.1 with sshd using the "ListenAddress 1.1.1.1" directive in sshd_config.

Now setting the guestos to bind to 1.1.1.2:

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/BindIP" "1.1.1.2"

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol" TCP

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort" 22

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort" 22

Then when trying to connect to ssh -p 22 1.1.1.2 connection is refused, and wireshark dump on the hostos shows it is being reset.

Testing this by binding to tcp/23 for the guestos on the outside of the NAT:

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/Protocol" TCP

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/GuestPort" 22

VBoxManage setextradata "guest os" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/guestssh/HostPort" 23

Now, ssh -p 23 1.1.1.2 works. However, ssh -23 1.1.1.1 is also being forwarded to the guestos, but is not what is expected due to the BindIP of 1.1.1.2.

Hostos netstat reports guestos is binding ALL (0.0.0.0) tcp/23 connections. This should not be.

For instance, should I want to bind 1.1.1.2:80 to guestosA and 1.1.1.3:80 to guestosB, you cannot, as the first guestos that starts will bind to all 0.0.0.0:80. The BindIP should limit what IP address the NAT's are bound to.