Discussion:
How to block all network traffic for host but allow for guest?
Thinker Rix
2014-03-10 13:05:58 UTC
Permalink
Hi all,

I am wondering if the following is possible with Linux and Virtualbox:

1. Block all network traffic whatsoever for the virtual host
2. Allow certain network traffic for some virtual machines (guests)

The idea behind that is to have a totally secured host, e.g. a laptop or
workstation, that connects physically to a LAN or WLAN, but that itself
can NOT receive or send any traffic. Then on top of this host I want to
install some "insecure internet VM" which should be allowed to e.g.
browse the internet or read mail.

Is this scenario possible with Virtualbox on a Linux host and Linux and
Windows VMs?

Thank you

Thinker Rix
Tom Grace
2014-03-10 13:52:33 UTC
Permalink
Post by Thinker Rix
Hi all,
1. Block all network traffic whatsoever for the virtual host
2. Allow certain network traffic for some virtual machines (guests)
Maybe. I've not tested this, but you might have some luck with a bridged
connection and a firewall on the host machine set to block all traffic.

Personally though, I would probably try to invert your plan and have a
VM with no network access, as that would be easier to configure.
Thinker Rix
2014-03-10 15:24:24 UTC
Permalink
Hi Tom,

Thank you for your time!
Post by Tom Grace
Post by Thinker Rix
Hi all,
1. Block all network traffic whatsoever for the virtual host
2. Allow certain network traffic for some virtual machines (guests)
Maybe. I've not tested this, but you might have some luck with a bridged
connection and a firewall on the host machine set to block all traffic.
Is there any information or scheme/map of the network concept of
VirtualBox so that I could figure how things work in general?
I have not understood yet how the traffic flows and which devices it
trespasses.
Post by Tom Grace
Personally though, I would probably try to invert your plan and have a
VM with no network access, as that would be easier to configure.
Yes, this is surely the easiest way, but it is not satisfactory
concerning security.
Yes, the VM would be isolated concerning networking. But the host would
remain exposed to the network.
Should the host get infected by malware, the security of the VM would be
at stake, too! Say I would infect the host with spyware/trojan. This way
my keyboard entries could be key-logged and my screens could be
monitored. When I would work with the VM via the host (since it is a
desktop machine I would directly use the VM via Virtualbox), all
passwords, etc. that I would enter into the VM would be logged, too. And
finally the intruder could enter my VM via the host, having all power
over the host.
As a final result, an intruder could enter my host AND my VMs.

For this reason I am interested in turning things upside down, having
the host secured and the isolated VM connected to the network. Should
the VM be infected/infiltrated, the intruder could not get out of the
box of the VM.

Regards
Thinker Rix
Giles Coochey
2014-03-10 17:27:32 UTC
Permalink
Post by Thinker Rix
For this reason I am interested in turning things upside down, having
the host secured and the isolated VM connected to the network. Should
the VM be infected/infiltrated, the intruder could not get out of the
box of the VM.
Yes, just do this under linux and have iptables installed with a default
policy of deny for INPUT and OUTPUT rules. Iptables will not affect
guests using bridged networking.
You can add exceptions to your firewall to all ssh / management of some
sort from a secured IP address.
--
Regards,

Giles Coochey, CCNP, CCNA, CCNAS
NetSecSpec Ltd
+44 (0) 8444 780677
+44 (0) 7983 877438
http://www.coochey.net
http://www.netsecspec.co.uk
giles-***@public.gmane.org
Thinker Rix
2014-03-10 18:49:27 UTC
Permalink
Hi Giles,

Thank you for your time!
Post by Giles Coochey
Post by Thinker Rix
For this reason I am interested in turning things upside down, having
the host secured and the isolated VM connected to the network. Should
the VM be infected/infiltrated, the intruder could not get out of the
box of the VM.
Yes, just do this under linux and have iptables installed with a
default policy of deny for INPUT and OUTPUT rules. Iptables will not
affect guests using bridged networking.
You can add exceptions to your firewall to all ssh / management of
some sort from a secured IP address.
I see, so the physical interface of the host stands "beside" (i.e. on
the same level) of the virtual bridge that virtualbox creates as a
virtual interface for the VMs?
This would be great, I would just lock up the host with iptables "drop
all" in all directions and be done?! Great!

Thank you very much!

Cheers
Thinker Rix

Loading...