A couple of weeks ago, I completed a system upgrade that was motivated because I have to deploy Windows 7. I have to deploy it because my Windows development environment is getting very long in the tooth, and I have to become current again for a project of mine that is underway.

So, yesterday, I deployed Windows 7 Professional in VMware 7 hosted on Mandriva 2010. With my new upgrade, I have a very capable quad-core athlon system with an NVidia 240GT video card, and it runs Aero quite nicely in the virtual machine. I do have to say that Windows 7 looks nice and isn't too annoying to use, except - of course - when I need to dig into it to change some setting or another.

Now, on Windows, for many years I have used Zone Alarm firewall rather than the Windows firewall, because ZA monitors and controls outgoing connections. I have used this on both my Win2K development system (virtual machine) AND my Win XP laptop to keep microsoft applications (notably media player) from calling the mother ship when I didn't think they should. It has worked well.

So one of my first actions was to download the newest copy of ZA free firewall and deploy it on Windows 7, after disabling the Windows firewall.

Well guess what. ZA doesn't stop Windows from calling the mother ship. I have all settings on ZA set to "ask" before allowing anything to contact the net, but I've been playing with some multimedia things and the microsoft software has been talking on the internet as happy as you please, and ZA hasn't asked me a single time if it could do so.

Of course, when I ran a few tests with ping and tracert, ZA asked me. Also, I had to fiddle with ZA settings a bit to get the Windows 7 to successfully talk to my LAN.

But when Windows 7 wants to talk to microsoft, it talks regardless of what ZA says.

Well, when you get down to it, this is one reason I have Windows running in a VM...I WILL be in control, regardless of what microsoft wants.

Does anyone know of a tool that I could use from Mandriva to prevent a VMware client from talking to a website? I'd like to be able to easily enable/disable it so that I can let Win 7 talk to microsoft when I need for it to do so, but no other time.

I'm using bridged networking in VMware so all my virtual machines have their own IP addresses, but of course all of them (as well as my host Linux system) go through the same network adapter.

It seems to me that iptables would have to work for this, but I'm not at all sure how to set it up to do it given the bridge.

Why don't you just switch the vnic type from 'Bridged' to 'Host only' ? .. you can do it while the vm is running then 'ipconfig /release + /renew'

If I do that then I can't use this Windows 7 installation on my lan and can't access it from outside without circumlocutions.

Easier (I think) to just get control of it. I've been investigating ebtables and the linux bridging utilities. There is probably a solution there, though it looks like I have the opportunity to really hose my installation while I sort it out...

Oh wait a minute...

If I set up a host only network, I can then set my routing table so that I can find it from outside, and the availability of the virtual network interface will let iptables work on it.

Hmmm...

OK, I now have my VM networking happening through a "host only" network that VMware provides. I had to make a static routing entry in each vm routing table to provide a gateway, I had to manually specify DNS in each VM, and I had to use NAT in iptables to bind the virtual ethernet interface (vmnet1) to the physical device.

I tried for awhile to get shorewall to do it, but I didn't get that sorted out so I just used an iptables command:

iptables -t nat -A POSTROUTING -s 172.16.187.0/24 -p all -j MASQUERADE

My LAN is now subnetted; there is a virtual machine subnet and a real machine subnet. The vm subnet is 172.16.187.0/24 and the real machine subnet is 192.168.0.0/24. SMB is working OK except that there appears to be some firewalling issue involving machines that are not physically part of my workstation; they aren't announcing properly. I'll sort that out eventually and for now lmhosts works fine for those machines.

I've been playing with blocking microsoft using iptables, and I have managed to do so...for my workstation but not for the virtual machines on my workstation. I realize that iptables is far from the best way to block a website, but one step at a time...one step at a time.

Commands like this:

iptables -I INPUT -s 207.46.0.0/16 -j DROP

have killed the address ranges that I have identified at this time as being microsoft's. However, I seem to be missing something; I have not managed to come up with a command that successfully blocks microsoft.com, coming from the 172 subnet. In fact, at this time, I have the curious condition where my Linux workstation can't connect to microsoft.com, and my Windows VMs do it without issue.

Can anyone tell me what I am missing, and how to do this? My topology is what you would expect; a physical machine connected through eth2 to a router (there is no eth0 or eth1 on this machine). The internal virtual connection to the 172 subnet is vmnet1. The system is using shorewall.

D'uh.

I was tired when I wrote that last post.

iptables -I FORWARD -s 172.16.187.0/24 -d 207.46.0.0/16 -p all -j DROP

kills most of microsoft.com. There's some other URLs and I will change the rules to block specific portions of the microsoft website, rather than this blanket "kill" policy. I'm now trying to find where the microsoft genuine advantage validation URL is. My copy is authentic - I purchased it at Fry's, and I validated it. But Win7 calls the mothership periodically and I just won't let it do that.