2

I run QEMU to emulate Windows KVM. I currently use -net nic with -net user to access WAN from guest, and this works like plain tunnel with no possibility to control connections, add whitelist or restrictions.

It is also dangerous setup due to the IP level packet forwarding, e.g. ports are open and all low-level connections on guest are possible. Say if i am running malware, such can function in nearly real networking environment.

Say i have running proxy socks5://127.0.0.1:9050/ on host and my host Internet connection is wlan0. How can i force QEMU to use such proxy as networking adapter, is there any solution? So at least, i will use Tor for my guests for privacy.

I've managed to setup TAP networking adapter virbr0 for my guest and enable it with command line -netdev bridge,br=virbr0,id=net0 -device virtio-net-pci,netdev=net0 (and allowed virbr0 in /etc/qemu/bridge.conf). Howerver, i don't have internet access with such bridge and don't actually understand how can i use iptables to restrict outgoing/incoming connections for my VM

Previous title: Is there a way to convert SOCKS proxy to a network bridge interface?

Croll
  • 93
  • 1
  • 17

1 Answers1

1

This won't work. SOCKS is an application-level protocol, not a generic networking mechanism. If you desire to use a SOCKS proxy with an application, you'll need to ensure that the application supports using a proxy, and is configured to do so.

EEAA
  • 109,363
  • 18
  • 175
  • 245
  • Seems theoretically real to write an application that will emulate networking interface using SOCKS proxy (with cutting any lower-level, unsupported traffic except DNS, TCP,UDP), i thought maybe someone did this .. – Croll Oct 08 '16 at 18:05
  • Sure, it's possible, but doing so would require a server-side component on the other side of the proxy to "un-wrap" and convert to the actual protocols. – EEAA Oct 08 '16 at 18:07
  • Ok then . So the question is whats problem with my `virbr0` not giving internet access and can i control it with iptables. – Croll Oct 08 '16 at 18:11
  • That's a different question altogether. – EEAA Oct 08 '16 at 18:12