LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices



Reply
 
Search this Thread
Old 03-21-2010, 06:09 PM   #1
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 115Reputation: 115
How to block a virtual machine from connecting with a website, from outside the VM


A couple of weeks ago, I completed a system upgrade that was motivated because I have to deploy Windows 7. I have to deploy it because my Windows development environment is getting very long in the tooth, and I have to become current again for a project of mine that is underway.

So, yesterday, I deployed Windows 7 Professional in VMware 7 hosted on Mandriva 2010. With my new upgrade, I have a very capable quad-core athlon system with an NVidia 240GT video card, and it runs Aero quite nicely in the virtual machine. I do have to say that Windows 7 looks nice and isn't too annoying to use, except - of course - when I need to dig into it to change some setting or another.

Now, on Windows, for many years I have used Zone Alarm firewall rather than the Windows firewall, because ZA monitors and controls outgoing connections. I have used this on both my Win2K development system (virtual machine) AND my Win XP laptop to keep microsoft applications (notably media player) from calling the mother ship when I didn't think they should. It has worked well.

So one of my first actions was to download the newest copy of ZA free firewall and deploy it on Windows 7, after disabling the Windows firewall.

Well guess what. ZA doesn't stop Windows from calling the mother ship. I have all settings on ZA set to "ask" before allowing anything to contact the net, but I've been playing with some multimedia things and the microsoft software has been talking on the internet as happy as you please, and ZA hasn't asked me a single time if it could do so.

Of course, when I ran a few tests with ping and tracert, ZA asked me. Also, I had to fiddle with ZA settings a bit to get the Windows 7 to successfully talk to my LAN.

But when Windows 7 wants to talk to microsoft, it talks regardless of what ZA says.

Well, when you get down to it, this is one reason I have Windows running in a VM...I WILL be in control, regardless of what microsoft wants.

Does anyone know of a tool that I could use from Mandriva to prevent a VMware client from talking to a website? I'd like to be able to easily enable/disable it so that I can let Win 7 talk to microsoft when I need for it to do so, but no other time.

I'm using bridged networking in VMware so all my virtual machines have their own IP addresses, but of course all of them (as well as my host Linux system) go through the same network adapter.

It seems to me that iptables would have to work for this, but I'm not at all sure how to set it up to do it given the bridge.

Last edited by jiml8; 03-21-2010 at 07:06 PM.
 
Old 03-22-2010, 12:32 AM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,758

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Why don't you just switch the vnic type from 'Bridged' to 'Host only' ? .. you can do it while the vm is running then 'ipconfig /release + /renew'
 
Old 03-22-2010, 01:35 PM   #3
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 115Reputation: 115
If I do that then I can't use this Windows 7 installation on my lan and can't access it from outside without circumlocutions.

Easier (I think) to just get control of it. I've been investigating ebtables and the linux bridging utilities. There is probably a solution there, though it looks like I have the opportunity to really hose my installation while I sort it out...
 
Old 03-22-2010, 01:40 PM   #4
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 115Reputation: 115
Oh wait a minute...

If I set up a host only network, I can then set my routing table so that I can find it from outside, and the availability of the virtual network interface will let iptables work on it.

Hmmm...
 
Old 03-23-2010, 12:08 PM   #5
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 115Reputation: 115
OK, I now have my VM networking happening through a "host only" network that VMware provides. I had to make a static routing entry in each vm routing table to provide a gateway, I had to manually specify DNS in each VM, and I had to use NAT in iptables to bind the virtual ethernet interface (vmnet1) to the physical device.

I tried for awhile to get shorewall to do it, but I didn't get that sorted out so I just used an iptables command:

iptables -t nat -A POSTROUTING -s 172.16.187.0/24 -p all -j MASQUERADE

My LAN is now subnetted; there is a virtual machine subnet and a real machine subnet. The vm subnet is 172.16.187.0/24 and the real machine subnet is 192.168.0.0/24. SMB is working OK except that there appears to be some firewalling issue involving machines that are not physically part of my workstation; they aren't announcing properly. I'll sort that out eventually and for now lmhosts works fine for those machines.

I've been playing with blocking microsoft using iptables, and I have managed to do so...for my workstation but not for the virtual machines on my workstation. I realize that iptables is far from the best way to block a website, but one step at a time...one step at a time.

Commands like this:

iptables -I INPUT -s 207.46.0.0/16 -j DROP

have killed the address ranges that I have identified at this time as being microsoft's. However, I seem to be missing something; I have not managed to come up with a command that successfully blocks microsoft.com, coming from the 172 subnet. In fact, at this time, I have the curious condition where my Linux workstation can't connect to microsoft.com, and my Windows VMs do it without issue.

Can anyone tell me what I am missing, and how to do this? My topology is what you would expect; a physical machine connected through eth2 to a router (there is no eth0 or eth1 on this machine). The internal virtual connection to the 172 subnet is vmnet1. The system is using shorewall.
 
Old 03-24-2010, 07:13 PM   #6
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Original Poster
Rep: Reputation: 115Reputation: 115
D'uh.

I was tired when I wrote that last post.

iptables -I FORWARD -s 172.16.187.0/24 -d 207.46.0.0/16 -p all -j DROP

kills most of microsoft.com. There's some other URLs and I will change the rules to block specific portions of the microsoft website, rather than this blanket "kill" policy. I'm now trying to find where the microsoft genuine advantage validation URL is. My copy is authentic - I purchased it at Fry's, and I validated it. But Win7 calls the mothership periodically and I just won't let it do that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
unable to auto mount 'shared folder' iin Suse 11.2 virtual machine using Virtual Box marvinudy Linux - Virtualization and Cloud 1 02-03-2010 03:29 PM
How to configure the serial port of my virtual machine with host machine. akram Linux - Newbie 4 07-31-2009 11:39 PM
Running virtual pc files in a virtual machine in linux ... preferably virtual box biharibong Linux - Software 4 01-21-2009 02:04 PM
block website soumalya Linux - Networking 2 09-19-2008 10:06 AM
Restarting Windows machine stops Linux machine mounting/connecting jamespetts Linux - Networking 3 05-29-2008 04:12 AM


All times are GMT -5. The time now is 10:23 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration