How to completely block/disable internet access on the host but still allow it on a guest

[Jon20002000]

One way would be to connect a wifi usb dongle to the VM. Then the guest would be able to access the internet even if networking were disabled in the host.

Can the same or similar be achieved with a regular ethernet interface? Ideally using something better than just iptables rules?

[towo2099]

Use bridged Network for the VM and remove the gateway in the nic settings from the host.

[Jon20002000]

Also would like the guest to have no network access to the host, even if the guest becomes malicious.

[mpack]

Give the VM it's own USB WiFi dongle. Otherwise physical network I/O must go via the host, either NAT or Bridged.

In the NAT case the guest can't access the host, but the host must be able to access the internet.

In the bridged network case the VM is part of the same Ethernet LAN as the host.

[socratis]

In the NAT case the guest can't access the host

I'm afraid that this is not true. It's the reason that I had to modify the Overview of Networking Modes Table from its first revision and add specifically the VM<->Net/LAN columns, after it was pointed out to me some time ago, that using NAT/NATservice a guest could access the host/host's LAN resources (IP printers, other computers, everything)...

Using NAT/NATservice, the guest can always access the host and the LAN, even if only by IP. The host->guest on the othere hand, has to have some sort of port forwarding set specifically for that purpose. It's actually the guest that's protected by default, not the host...

To sum it up, if the guest has any sort of networking that it's NOT of the "Internal" networking option, there can be no complete isolation. But then the guest is isolated, and not going to have access to anything, except its own Internal network. Even if using a USB WiFi adapter, the guest will still be part of the LAN and will be able to access anything inside the router.

The only solution I can think of would be to have a separate router, with a different public IP, i.e. a 2nd line from your ISP, and using a USB to WiFi/Ethernet to connect to the 2nd router...

[fth0]

There maybe(*) is another solution, which only needs one router and ISP, and involves VLANs:

Virtual LANs are a somewhat complicated topic, where even network professionals sometimes shoot themselves in the foot. The core idea is to have network traffic from multiple users transmitted on a common physical cabling infrastructure, separated only logically by VLAN tags. On the Wi-Fi side this is accomplished with multiple SSIDs (Wi-Fi networks).

VLANs are not only available in all professional switches, wifi access points and routers, but nowadays also in consumer devices: A common search term is guest wifi network.

(*) The maybe is owed to the fact that I do not know how the different VirtualBox networking concepts deal with VLAN tags ...

[socratis]

The maybe is owed to the fact that I do not know how the different VirtualBox networking concepts deal with VLAN tags ...

I could be wrong here, but I don't remember VirtualBox being able to cope with VLAN tags. A quick search shows that I might be right.

[mpack]

In the NAT case the guest can't access the host

I'm afraid that this is not true. It's the reason that I had to modify the Overview of Networking Modes Table from its first revision and add specifically the VM<->Net/LAN columns, after it was pointed out to me some time ago, that using NAT/NATservice a guest could access the host/host's LAN resources (IP printers, other computers, everything)...

Really? I was under the impression that NAT only does port forwarding for TCP transactions, so you can't access the full network functionality that way. It's one of the principle reasons for using Bridged or HostOnly.

So let's see. I just ran up a Win7-Pro 64bit VM (which uses NAT), and run "arp -a" inside a administrator command console.

Win7ProArp.PNG (13.61 KiB) Viewed 5870 times

My home network has a NAS, a printer that I know is visible to networked devices, Win10 tablet, Android tablet, Android phone, two smart TVs, etc etc. I'm not seeing those resources here.

[socratis]

Really? I was under the impression that NAT only does port forwarding for TCP transactions, so you can't access the full network functionality that way. It's one of the principle reasons for using Bridged or HostOnly.

I know, I know... I was under the same impression too! But, alas no. See comment 5 in ticket #16912, where I originally brought the idea of the Overview table, but I had to backpedal...

My home network has a NAS, a printer that I know is visible to networked devices, Win10 tablet, Android tablet, Android phone, two smart TVs, etc etc. I'm not seeing those resources here.

I think I have the answer for that (but I could be wrong). When the discovery takes place, the packets from the LAN have to reach the VM, but they can't. Nothing externally originated can reach the VM when initiated from the LAN, it's not translatable, it hits the "NAT router". So you don't get to browse/"name resolute" your host's LAN resources. As I mentioned, only by knowing the IP will you get access.

Here's my Win7-32 VM's "arp -a" output. Note that the NAT address is 10.0.4.15, because it's the 3rd NIC in my config. #1 is HostOnly, #2 is Internal, #3 is NAT, and #4 is Bridged. Everything but #3 NAT is cable-disconnected. My LAN is in the 10.0.0.x range, for which "arp -a" has absolutely nothing:

C:\Windows\system32>arp -a
Interface: 10.0.4.15 --- 0xb
  Internet Address      Physical Address      Type
  10.0.4.2              52-54-00-12-35-02     dynamic
  10.0.4.255            ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.252           01-00-5e-00-00-fc     static
  239.255.255.250       01-00-5e-7f-ff-fa     static
  255.255.255.255       ff-ff-ff-ff-ff-ff     static

But if I try manually to ping/connect, it works just fine:

C:\Users\Socratis>ping 10.0.0.129          <-- That's my 2nd host's IP
Pinging 10.0.0.129 with 32 bytes of data:
Reply from 10.0.0.129: bytes=32 time<1ms TTL=127
Reply from 10.0.0.129: bytes=32 time<1ms TTL=127
Reply from 10.0.0.129: bytes=32 time<1ms TTL=127
Reply from 10.0.0.129: bytes=32 time<1ms TTL=127

C:\Users\Socratis>ping 10.0.0.254          <-- That's my Router's IP
Pinging 10.0.0.254 with 32 bytes of data:
Reply from 10.0.0.254: bytes=32 time=1ms TTL=127
Reply from 10.0.0.254: bytes=32 time=1ms TTL=127
Reply from 10.0.0.254: bytes=32 time=1ms TTL=127
Reply from 10.0.0.254: bytes=32 time=1ms TTL=127

C:\Users\Socratis>net use * \\10.0.0.254\Shared1TB /persistent:no
Enter the user name for '10.0.0.254': socratis
Enter the password for 10.0.0.254:
Drive Z: is now connected to \\10.0.0.254\Shared1TB.

The command completed successfully.

Just try to connect to your NAS or your printer, strictly via their IP. You'll be going

Damn, I wasn't expecting that...