9

I have a Linux guest VM running under a Windows host. If I set the networking mode to NAT, the guest can get internet access (which I want), but can also access the hosts LAN (which I dont).

For various reasons, I cannot set up a separate network just to provide internet access to the guest.

Can I use Windows Firewall, or some routing software to allow me to give internet access to the guest, but block all other access?

EDIT - I got the solution from the virtualbox forums: Use NAT with windows firewall to block the guest.

My mistake was trying to set up the rule on the host where (program = all, local IP = guest IP range). Rule actually should be (local IP = all, program=virtualbox.exe), since the NAT already happen before it hits the firewall

Francis Appa
  • 131
  • 1
  • 2
  • 6

6 Answers6

4

Solution - add a firewall rule to the host: block (local IP = all, program=virtualbox.exe, remote IP = {range you want to block})

Francis Appa
  • 131
  • 1
  • 2
  • 6
2

You say Linux so I'm assuming you have IPtables installed. You can only allow inbound/outbound traffic on port 80 (HTTP), port 443 (HTTPS) and outbound DNS. Use at your own risk as I have not tested these rules. Also, make sure you are the physical machine when you do it. If you are remotely connecting you may disconnect yourself and not be able to get back to the machine.

#delete all rules
iptables -F

#change default policy to drop everything
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

#add rules for port 80 and 443 to only allow this traffic
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

#allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT

#allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

List Rules:

iptables -L
Travis
  • 870
  • 8
  • 23
  • The guest is running Linux, the host is running windows, but I assume this routing is for the host? – Francis Appa Jun 21 '13 at 13:40
  • No, this is for the guest. In all honesty it would be a bad policy to put this type of routing on a host level simply because if you ever put other virtual machines on it, they will be limited to internet only. It would cause a world of hurt if you put a domain controller or something like that on there. – Travis Jun 21 '13 at 15:16
1

To provide internet access to an untrusted guest virtual machine without granting access to the local network, I would setup a second and trusted guest virtual machine running Linux and configure it as a router and traffic filter.

The original guest VM would have a single network adapter attached to an internal network. The router guest VM would have two network adapters, where the first one would be attached to the same internal network and the second one would be attached to the host network as usual, via bridge or NAT.

The router VM would run dnsmasq to provide network connectivity to the original guest VM. To ensure that packets from the untrusted machine will not reach the LAN interface independently of the network protocol, I would manipulate the routing policy database and create a dedicated routing table:

[root@trustedRouter]# echo 'nolan' >> /etc/iproute2/rt_tables

[root@trustedRouter]# ip rule add iif ${intIF} table nolan

[root@trustedRouter]# ip route show table main | grep -F " dev ${intiF} " | \
    while read L; do ip route add table nolan ${L}; done

[root@trustedRouter]# ip route show table main | grep -E "^default " | \
    while read L; do ip route add table nolan ${L}; done

${intIF} on the above example would be the network card connected to the untrusted guest machine.

For peace of mind, network filtering via nftables would also be in place:

[root@trustedRouter]# nft add chain inet filter FORWARD \
    meta iifname ${intIF} ip daddr ${lanADDR4} counter DROP

[root@trustedRouter]# nft add chain inet filter FORWARD \
    meta iifname ${intIF} ip6 daddr ${lanADDR6} counter DROP
Anderson Medeiros Gomes
  • 2,477
  • 9
  • 20
  • It's sad that it requires to create an additional VM and it cannot be achieved easily. I think it's easier for me to pass thru an USB wireless dongle and connect to my guest wifi. But I will give you the bounty if no-one else answers. – zomega Feb 26 '23 at 10:35
  • @zomega I agree that it does not sound easy. From the host perspective, the bridge mode directly connects guest NIC to the physical network, the NAT mode is an user process creating sockets and the host-only mode is a NIC generating packets to be forwarded to another NIC. I couldn't find a way to grant internet access to the guest while blocking access to VLAN without a sophisticated packet filter running somewhere; either in the host or in another guest VM. Passing through a dedicated NIC hardware is an easier solution (which may require Oracle VM Extensions Pack installed). – Anderson Medeiros Gomes Feb 27 '23 at 15:58
  • @zomega Another sophisticated solution for your Debian host would be configuring the guest network in NAT mode, running VirtualBox under a [dedicated network namespace](https://man7.org/linux/man-pages/man8/ip-netns.8.html) and setting up a network firewall on that namespace. Such solution modifies host configuration, though. – Anderson Medeiros Gomes Feb 27 '23 at 16:04
  • Do you know if VMware Player is better about this particular topic (easier to setup)? – zomega Feb 27 '23 at 17:31
  • @zomega I don't know. I reckon that alternative hypervisors such as VMware Player, VMware Workstation, qemu-kvm or Hyper-V will present similar challenge. The hypervisor's role is the presentation of a virtual network card to the guest VM; if selective connectivity based on characteristics of network packets is required, that is up to a packet filter. – Anderson Medeiros Gomes Mar 02 '23 at 18:51
0

Its tricky to give advice because you haven't specified what virtualisation platform you are using. If you are using Virtualbox, you can set the network type to Host only adapter, which will allow internet access, and access to the host you are running Virtualbox on, but not the rest of the network.

GeoSword
  • 1,657
  • 12
  • 16
  • If I go with host-only adapter, can I still block access to the host itself? – Francis Appa Jun 21 '13 at 13:43
  • Actually I tried this, but my guest doesnt get internet access - only access to the host. Did you do something special (like setting up routing rules) to enable this? – Francis Appa Jun 21 '13 at 14:19
0

I had bridge my connection. This still didn't work, but checking the cable connected box (circled in the image below) fixed my network connection. I don't fully understand why.

enter image description here

scottysseus
  • 427
  • 1
  • 5
  • 10
  • 1
    The "Cable Connected" box controls whether the virtual CAT5/5e/6 network cable (or equivalent ability to communicate, in the case of wireless) is plugged or unplugged. (Sometimes, it's useful to virtualize a system which has a network adapter installed but nothing to talk to.) – ssokolow Jul 24 '16 at 21:19
  • This answer is not related to the question in any way. – zomega Feb 25 '23 at 15:09
-1

I am facing the same issue (a few years later). I have found a very simple iptables rule:

sudo iptables -I OUTPUT -d 192.168.1.0/24 -j DROP

(Assuming local network is 192.168.1.x). It must bu set in the guest machine.

But unfortunately, it also limits all the connections. So, not very useful, I guess

Peret
  • 1
  • 1