How to setup firewall for VM to make host destination unreachable?

[wuming79]

Hi All,

I have set up 2 virtualbox guest vm as below.
Guest1: Win 7 natNetwork 10.0.2.4.
Guest2: Win 7 natNetwork 10.0.2.15.

My Host IP: 192.168.188.1

I have set the following rules in the windows firewall.
Host: Inbound/outbound block 10.0.2.4-10.0.2.15. (remote and local)
Guest1: Outbound block 192.168.188.1 (remote and local)
Guest2: Outbound block 192.168.188.1 (remote and local)

My ping results are as follows:
Host to Guest1/Guest 2: Request timeout.
Guest1/Guest2 to host: ping returns results.

How should I set up my firewall so that the ping from guest to host will return destination unreachable ?

[socratis]

If you want your two VMs to be isolated from the host, yet talk to each other, you need the "Internal Network" option. For more details, see Ch. 6 of the User Manual.

[BillG]

And firewall rules have nothing to do with VirtualBox. It makes no difference whether the machines and networks are physical or virtual, the firewall rules do not change.

[scottgus1]

Do you want internet in the guests while blocking access to the host? If so, see viewtopic.php?f=1&t=76667#p356720

[wuming79]

Hi,

I have did some changes.

Guest1: Added Inbound block 192.168.188.1 (remote and local)
Guest2: Added Inbound block 192.168.188.1 (remote and local)

My ping results are as follows:
Host to Guest1/Guest 2: General Failure
Guest1/Guest2 to Host: General Failure
Guest1/Guest2 to host: ping returns results.

Currently Guest1/2 can access internet.

What does General Failure means?

socratis: Internal Network is "nat Network" right? I think it is working for Guest 1 to Guest 2 and vice versa.

[socratis]

socratis: Internal Network is "nat Network" right? I think it is working for Guest 1 to Guest 2 and vice versa.

Not quite. NATService (aka "NAT Network") is a form of Internal network, with added internet access. Here is a quick summary of what's going on in the different modes:

[pre]+------------+-------------+-------------+----------------+----------------+
| | VM <-> Host | VM1 <-> VM2 | VM -> Internet | VM <- Internet |
+------------+-------------+-------------+----------------+----------------+
| HostOnly | Yes | Yes | No | No |
| Internal | No | Yes | No | No |
| Bridged | Yes | Yes | Yes | Yes |
| NAT | No | No | Yes | Port forward |
| NATService | No | Yes | Yes | Port forward |
+-----------+-------------+-------------+----------------+----------------+[/pre]
For more details, please read in full ch. 6. Virtual networking.

[wuming79]

I mean now that I can ping vm1 to vm2 using natnetwork and they are able to surf the net, I assumed I am in internal network. My concern now is the general failure. Is it still safe to say host is cut off from the 2 guest?

[socratis]

To tell you the truth, I personally haven't quite figured this out 100%. Theoretically, you're supposed to be isolated. Theoretically, if you're using NAT or NATService there is no communication between host and guest. However...

I can still ping my host from VM(s) when I use the NAT or NATService options. And up to a point it makes sense, the host is the one that traffic has to go through. So for example, if my NATService is in the 192.168.40.0/24 range, and my host is 10.0.0.101 and my home network's gateway is 10.0.0.1, I can still ping everything from the guest. But that's as far as it will go, nothing more than a ping.

[wuming79]

But then how do the folks testing Malwares do it? If it's a worm, there got to be a way to block it right? I just hope General Failure means there is no connection...

[scottgus1]

Internal Network is "nat Network" right?

using natnetwork ... I assumed I am in internal network

Negative. Two different animals. Virtualbox has an Internal, and a NAT, and a NAT Network. You'll need to keep the terminology straight to be understood at first read on the forum. You are using NAT Network. Internal does not allow any network activity outside of the Virtualbox processing space within your host PC. No host LAN, no host anything, no internet, on any guests connected to that internal network. NAT Network is a different beast.

NAT and NAT Network are like house routers. They connect attached guests to the host's LAN just like a house router connects your house PCs to the internet. Anything on the internet can be accessed from your house PCs, but the house PCs cannot be accessed from the internet except through ports opened in the router's firewall. So also with NAT and NAT Network. You can access any host and physical LAN shared folders and services by IP address from a NATted (or possibly NAT-Networked) guest. The physical LAN can't access the guests except through opened ports in NAT / NAT Network.

The difference between NAT and NAT Network is simple. See Socratis' table. NAT is a "router" with only one LAN port for only one guest. That guest can communicate with the internet and with host services via IP address, but can't talk to any other guests on other NATs or NAT Networks.

NAT Network is a "router" with as many LAN ports as guests you attach to it. The attached guests can communicate freely between themselves and the host's services via IP address, and the internet, but not with guests on other NATs or NAT Networks.

Virtualbox NAT (and I assume NAT network) doesn't isolate the host. See my earlier linked post on how to isolate the host LAN completely while allowing internet into the NAT network.