the nice:

NAT is nice as it provides some form of protection/shielding of vms from the internet, by placing the host between (doing all the fire walling)

the problem:

server is exposed to regular dovecot and exim password bruteforce attempts, in order to guess valid mail & password.

without the proper IP of the client in the logs doing the wrong

IP can not be blocked by iptables / firewall

how can virtualbox be configured, to log the actual IP address of the client that is trying to guess a password?

==> /var/log/exim/main.log <== 
2020-06-26 19:34:48 dovecot_login authenticator failed for (User) [10.0.2.2]: 535 Incorrect authentication data (set_id=phpthumbdebug@domain.com) 
2020-06-26 19:34:48 dovecot_login authenticator failed for (User) [10.0.2.2]: 535 Incorrect authentication da
# shutdown / poweroff vm
VBoxManage modifyvm "vmname" --nataliasmode1 proxyonly

# power on vm again and monitor the logs
# if the real client ip adresses are now being passed on to the vm or not
--nataliasmode<1-N>
default|[log],[proxyonly],[sameports]

: Defines behaviour of the NAT engine core:

  • log – enables logging
  • proxyonly – switches off aliasing mode and makes NAT transparent
  • sameports – enforces the NAT engine to send packets through the same port as they originated on
  • default – disable all aliasing modes. See Section 9.8.7, “Configuring Aliasing of the NAT Engine”.

Links:

https://forums.virtualbox.org/viewtopic.php?f=7&t=98804

admin