Linux Firewall to Reject Outgoing Nonlocal Traffic
Hi,
I'm pretty new to using Linux firewall settings and I was wondering if anyone here knew how to setup a Linux firewall to block outgoing traffic to nonlocal IP addresses? Specifically, I'm looking to set it up such that all traffic coming from the host OS to a Virtualbox VM running Linux is blocked for security reasons. Any help is greatly appreciated. |
Quote:
You could use an iptables to say drop all packets from the source (your computer) to this some destination subnet. Would look like something like this: Code:
iptables -A INPUT -i <interface> -s <host ip> --dst-range <first guest ip> <last guest ip> -j REJECT For example: If you were to block all traffic in one direction, for say SSH, you wouldn't be able to talk to either computer inbound or outbound as neither them can establish a socket with each other, If you can talk to a machine, but it can't talk back to you, you can't establish a connection, because your computer would have no idea if the other computer got the messages you are sending, as the other computer wouldn't be able to reply. |
Thanks for the detailed answer. What I'm trying to do is to keep Internet access to the guest VM, but not allow the guest VM to see or interact with the host or any machine that's part of the LAN. I thought if I could restrict the traffic on the host NAT server to deny any outgoing traffic to nonlocal IP addresses, I can keep the guest VM from seeing the host or LAN (for example, pinging the host IP or reaching the router's web interface). I'm hoping to use Linux firewall commands to set this up. Do you happen to know if this would work or is even possible? If so, what would I need to do to set it up? Thanks.
|
Yes, it is possible, except the router's gateway address is the same as the web interface address. So, that might be a problem.
|
All times are GMT -5. The time now is 04:27 AM. |