One way would be to connect a wifi usb dongle to the VM. Then the guest would be able to access the internet even if networking were disabled in the host.
Can the same or similar be achieved with a regular ethernet interface? Ideally using something better than just iptables rules?
How to completely block/disable internet access on the host but still allow it on a guest
-
- Posts: 3
- Joined: 19. Jul 2019, 12:40
-
- Volunteer
- Posts: 362
- Joined: 18. Aug 2014, 21:53
- Primary OS: Debian Sid
- VBox Version: PUEL
- Guest OSses: Android, Linux
Re: How to completely block/disable internet access on the host but still allow it on a guest
Use bridged Network for the VM and remove the gateway in the nic settings from the host.
-
- Posts: 3
- Joined: 19. Jul 2019, 12:40
Re: How to completely block/disable internet access on the host but still allow it on a guest
Also would like the guest to have no network access to the host, even if the guest becomes malicious.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to completely block/disable internet access on the host but still allow it on a guest
Give the VM it's own USB WiFi dongle. Otherwise physical network I/O must go via the host, either NAT or Bridged.
In the NAT case the guest can't access the host, but the host must be able to access the internet.
In the bridged network case the VM is part of the same Ethernet LAN as the host.
In the NAT case the guest can't access the host, but the host must be able to access the internet.
In the bridged network case the VM is part of the same Ethernet LAN as the host.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: How to completely block/disable internet access on the host but still allow it on a guest
I'm afraid that this is not true. It's the reason that I had to modify the Overview of Networking Modes Table from its first revision and add specifically the VM<->Net/LAN columns, after it was pointed out to me some time ago, that using NAT/NATservice a guest could access the host/host's LAN resources (IP printers, other computers, everything)...mpack wrote:In the NAT case the guest can't access the host
Using NAT/NATservice, the guest can always access the host and the LAN, even if only by IP. The host->guest on the othere hand, has to have some sort of port forwarding set specifically for that purpose. It's actually the guest that's protected by default, not the host...
To sum it up, if the guest has any sort of networking that it's NOT of the "Internal" networking option, there can be no complete isolation. But then the guest is isolated, and not going to have access to anything, except its own Internal network. Even if using a USB WiFi adapter, the guest will still be part of the LAN and will be able to access anything inside the router.
The only solution I can think of would be to have a separate router, with a different public IP, i.e. a 2nd line from your ISP, and using a USB to WiFi/Ethernet to connect to the 2nd router...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Volunteer
- Posts: 5677
- Joined: 14. Feb 2019, 03:06
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Linux, Windows 10, ...
- Location: Germany
Re: How to completely block/disable internet access on the host but still allow it on a guest
There maybe(*) is another solution, which only needs one router and ISP, and involves VLANs:
Virtual LANs are a somewhat complicated topic, where even network professionals sometimes shoot themselves in the foot. The core idea is to have network traffic from multiple users transmitted on a common physical cabling infrastructure, separated only logically by VLAN tags. On the Wi-Fi side this is accomplished with multiple SSIDs (Wi-Fi networks).
VLANs are not only available in all professional switches, wifi access points and routers, but nowadays also in consumer devices: A common search term is guest wifi network.
(*) The maybe is owed to the fact that I do not know how the different VirtualBox networking concepts deal with VLAN tags ...
Virtual LANs are a somewhat complicated topic, where even network professionals sometimes shoot themselves in the foot. The core idea is to have network traffic from multiple users transmitted on a common physical cabling infrastructure, separated only logically by VLAN tags. On the Wi-Fi side this is accomplished with multiple SSIDs (Wi-Fi networks).
VLANs are not only available in all professional switches, wifi access points and routers, but nowadays also in consumer devices: A common search term is guest wifi network.
(*) The maybe is owed to the fact that I do not know how the different VirtualBox networking concepts deal with VLAN tags ...
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: How to completely block/disable internet access on the host but still allow it on a guest
I could be wrong here, but I don't remember VirtualBox being able to cope with VLAN tags. A quick search shows that I might be right.fth0 wrote:The maybe is owed to the fact that I do not know how the different VirtualBox networking concepts deal with VLAN tags ...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
-
- Site Moderator
- Posts: 39134
- Joined: 4. Sep 2008, 17:09
- Primary OS: MS Windows 10
- VBox Version: PUEL
- Guest OSses: Mostly XP
Re: How to completely block/disable internet access on the host but still allow it on a guest
Really? I was under the impression that NAT only does port forwarding for TCP transactions, so you can't access the full network functionality that way. It's one of the principle reasons for using Bridged or HostOnly.socratis wrote:I'm afraid that this is not true. It's the reason that I had to modify the Overview of Networking Modes Table from its first revision and add specifically the VM<->Net/LAN columns, after it was pointed out to me some time ago, that using NAT/NATservice a guest could access the host/host's LAN resources (IP printers, other computers, everything)...mpack wrote:In the NAT case the guest can't access the host
So let's see. I just ran up a Win7-Pro 64bit VM (which uses NAT), and run "arp -a" inside a administrator command console. My home network has a NAS, a printer that I know is visible to networked devices, Win10 tablet, Android tablet, Android phone, two smart TVs, etc etc. I'm not seeing those resources here.
-
- Site Moderator
- Posts: 27329
- Joined: 22. Oct 2010, 11:03
- Primary OS: Mac OS X other
- VBox Version: PUEL
- Guest OSses: Win(*>98), Linux*, OSX>10.5
- Location: Greece
Re: How to completely block/disable internet access on the host but still allow it on a guest
I know, I know... I was under the same impression too! But, alas no. See comment 5 in ticket #16912, where I originally brought the idea of the Overview table, but I had to backpedal...mpack wrote:Really? I was under the impression that NAT only does port forwarding for TCP transactions, so you can't access the full network functionality that way. It's one of the principle reasons for using Bridged or HostOnly.
I think I have the answer for that (but I could be wrong). When the discovery takes place, the packets from the LAN have to reach the VM, but they can't. Nothing externally originated can reach the VM when initiated from the LAN, it's not translatable, it hits the "NAT router". So you don't get to browse/"name resolute" your host's LAN resources. As I mentioned, only by knowing the IP will you get access.mpack wrote:My home network has a NAS, a printer that I know is visible to networked devices, Win10 tablet, Android tablet, Android phone, two smart TVs, etc etc. I'm not seeing those resources here.
Here's my Win7-32 VM's "arp -a" output. Note that the NAT address is 10.0.4.15, because it's the 3rd NIC in my config. #1 is HostOnly, #2 is Internal, #3 is NAT, and #4 is Bridged. Everything but #3 NAT is cable-disconnected. My LAN is in the 10.0.0.x range, for which "arp -a" has absolutely nothing:
But if I try manually to ping/connect, it works just fine:C:\Windows\system32>arp -a Interface: 10.0.4.15 --- 0xb Internet Address Physical Address Type 10.0.4.2 52-54-00-12-35-02 dynamic 10.0.4.255 ff-ff-ff-ff-ff-ff static 224.0.0.22 01-00-5e-00-00-16 static 224.0.0.252 01-00-5e-00-00-fc static 239.255.255.250 01-00-5e-7f-ff-fa static 255.255.255.255 ff-ff-ff-ff-ff-ff static
Just try to connect to your NAS or your printer, strictly via their IP. You'll be goingC:\Users\Socratis>ping 10.0.0.129 <-- That's my 2nd host's IP Pinging 10.0.0.129 with 32 bytes of data: Reply from 10.0.0.129: bytes=32 time<1ms TTL=127 Reply from 10.0.0.129: bytes=32 time<1ms TTL=127 Reply from 10.0.0.129: bytes=32 time<1ms TTL=127 Reply from 10.0.0.129: bytes=32 time<1ms TTL=127 C:\Users\Socratis>ping 10.0.0.254 <-- That's my Router's IP Pinging 10.0.0.254 with 32 bytes of data: Reply from 10.0.0.254: bytes=32 time=1ms TTL=127 Reply from 10.0.0.254: bytes=32 time=1ms TTL=127 Reply from 10.0.0.254: bytes=32 time=1ms TTL=127 Reply from 10.0.0.254: bytes=32 time=1ms TTL=127 C:\Users\Socratis>net use * \\10.0.0.254\Shared1TB /persistent:no Enter the user name for '10.0.0.254': socratis Enter the password for 10.0.0.254: Drive Z: is now connected to \\10.0.0.254\Shared1TB. The command completed successfully.
Damn, I wasn't expecting that...
Do NOT send me Personal Messages (PMs) for troubleshooting, they are simply deleted.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.
Do NOT reply with the "QUOTE" button, please use the "POST REPLY", at the bottom of the form.
If you obfuscate any information requested, I will obfuscate my response. These are virtual UUIDs, not real ones.