LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-18-2018, 08:33 AM   #1
quantumxaos
LQ Newbie
 
Registered: Oct 2017
Posts: 3

Rep: Reputation: Disabled
Linux Firewall to Reject Outgoing Nonlocal Traffic


Hi,

I'm pretty new to using Linux firewall settings and I was wondering if anyone here knew how to setup a Linux firewall to block outgoing traffic to nonlocal IP addresses? Specifically, I'm looking to set it up such that all traffic coming from the host OS to a Virtualbox VM running Linux is blocked for security reasons. Any help is greatly appreciated.
 
Old 05-18-2018, 12:49 PM   #2
/dev/random
Member
 
Registered: Aug 2012
Location: Ontario, Canada
Distribution: Slackware 14.1, LFS-current, NetBSD 6.1.3
Posts: 278

Rep: Reputation: 104Reputation: 104
Quote:
Originally Posted by quantumxaos View Post
Hi,

I'm pretty new to using Linux firewall settings and I was wondering if anyone here knew how to setup a Linux firewall to block outgoing traffic to nonlocal IP addresses? Specifically, I'm looking to set it up such that all traffic coming from the host OS to a Virtualbox VM running Linux is blocked for security reasons. Any help is greatly appreciated.
If you block all traffic from the host OS, then how will you connect to the VM?

You could use an iptables to say drop all packets from the source (your computer) to this some destination subnet.
Would look like something like this:

Code:
iptables -A INPUT -i <interface> -s <host ip> --dst-range <first guest ip> <last guest ip> -j REJECT
iptables -A OUTPUT -o <interface>  -d <host ip> --src-range <first guest ip> <last guest ip> -j REJECT
This will block all outgoing and incoming traffic to your guests from your host, you can't block only outgoing, because of way sockets and connections work.

For example:
If you were to block all traffic in one direction, for say SSH, you wouldn't be able to talk to either computer inbound or outbound as neither them can establish a socket with each other, If you can talk to a machine, but it can't talk back to you, you can't establish a connection, because your computer would have no idea if the other computer got the messages you are sending, as the other computer wouldn't be able to reply.
 
Old 05-18-2018, 06:01 PM   #3
quantumxaos
LQ Newbie
 
Registered: Oct 2017
Posts: 3

Original Poster
Rep: Reputation: Disabled
Thanks for the detailed answer. What I'm trying to do is to keep Internet access to the guest VM, but not allow the guest VM to see or interact with the host or any machine that's part of the LAN. I thought if I could restrict the traffic on the host NAT server to deny any outgoing traffic to nonlocal IP addresses, I can keep the guest VM from seeing the host or LAN (for example, pinging the host IP or reaching the router's web interface). I'm hoping to use Linux firewall commands to set this up. Do you happen to know if this would work or is even possible? If so, what would I need to do to set it up? Thanks.
 
Old Today, 12:10 AM   #4
AwesomeMachine
Senior Member
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 4,549

Rep: Reputation: 844Reputation: 844Reputation: 844Reputation: 844Reputation: 844Reputation: 844Reputation: 844
Yes, it is possible, except the router's gateway address is the same as the web interface address. So, that might be a problem.
 
  


Reply

Tags
firewall, iptables, iptables firewall block, virtual box


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How Linux pick the default IP for outgoing traffic z_haseeb Red Hat 5 05-25-2016 11:15 AM
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 12:09 AM
Intercept outgoing traffic through a firewall???? macburton Linux - Security 1 10-17-2004 01:10 PM
Linux firewall, cant get on my machine (stupid me) set reject to any TCP protocol AlexW Linux - Security 3 06-10-2004 04:07 PM
I need to inhibit outgoing web traffic on the firewall, and leave only Squid, How? mfeoli Linux - Networking 2 02-06-2004 09:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:35 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration