What is the simplest way to deny a virtual machine access to the internet, that is, outside a LAN subnet?

I'm guessing this has been covered previously, but I found no obvious threads.

I'd like to isolate a virtual machine from the internet but not a local network. I'm using VirtualBox and the Host Interface mode to allow access to the LAN.

IP addresses are static.

Unless I'm missing the big picture, Internal mode would not succeed as that mode is internal to the virtual machines and excludes the actual physical LAN.

From what I have read, perhaps a iptables firewall rule on the host machine will suffice, but I haven't found a good example of that.

I get the idea that another possibility is to block access at the router, which is a Linksys WRT54GL 1.1 with DD-WRT, but I don't know how to do that.

Thanks much.

This will allow anyone to get to it. But, it will not be able to get to anything else except the 192.168.0/26 network.

Are these rules for the host machine?

My host is a Linux based system, but the VMs might be other OSs too.

don't put a gateway address in the VM and set it to bridged.

Thanks for the suggestions. Hopefully I remember to update this thread with my final solution.

for preventing the VM from accessing the net I agree with this.

For preventing the net from sending packets to the VM you shouldn't need to do anything, unless the VM is on the same IP as a former server and you haven't removed the firewall/NAT port forwarding to that IP yet.