Firewall and virtual machine. How to temporally disable FW?

[abcuser]

Hi,
I have Ubuntu 8.04 as virtual host. On this host I have installed VirtualBox. I have installed Windows XP as virtual machine and installed HTTP server.

I would like temporally disable all network connections to host and virtual machine.
So on Ubuntu host I have set firewall settings:

Code: Select all

sudo iptables -F  (to flush - delete all firewall settings)
sudo iptables -P INPUT DROP (to disable all input traffic)
sudo iptables -P FORWARD DROP (to disable all forward traffic)
sudo iptables -P OUTPUT DROP (to disable all output traffic

List firewall settings:

Code: Select all

sudo iptables -L -n -v

outputs:

Code: Select all

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

I see I can't connect to internet from Ubuntu host, sample "sudo apt-get update" returns error.

But I can still connect to my HTTP server witch is running in virtual machine. This is strange. Why isn't this traffic prevented? What should I do to prevent all of the traffic to virtual machine and host?

I have two network adapters (ifconfig command): lo (local) and eth0 (ethernet). VirtualBox is using eth0 to communicate to internet.

P.S. There is no other firewall installed on Ubuntu like ufw.
Regards

[Perryg]

Humm,
It might be easier if we knew exactly what you are trying to accomplish.
Are you wanting the (2) guest to be able to communicate and not to the host or Internet?
Also it may be that the host/guests are in different segments is why the firewall is not working, not really sure at this point.

[abcuser]

It might be easier if we knew exactly what you are trying to accomplish.

I would like temporally disable all network connections to host and virtual machine.

Are you wanting the (2) guest to be able to communicate and not to the host or Internet?

Ones per month I need to do some administration work in virtual machines and I would like to temporally disable network connection. I would like to disable all traffic from end users to host and guest. I don't need any connection between host and guests or between guests. I just need to do some admin work inside each virtual machine and I would like to disable network connection in firewall.

Also it may be that the host/guests are in different segments is why the firewall is not working, not really sure at this point.

Can you explain more? What do you mean by different segments?

[Perryg]

Segments like Bridged 192.168.1.X and 10.0.1.x, or the Windows replacement address for no network connection.
Say the host is in the first segment 192.168.1.X and the hosts are in the 10.0.1.x and are simply using the host nic it may not be possible to actually use firewall filtering to achieve this.
Unless you can convince the firewall to join the other segment as well.
You also may be using vrdp and in the case you would have no problem with this on the host only, but if you have a different way to connect like I indicate above it may not work.
I guess you could firewall the guests too and run a script on them to shut them down too, but what about using VBoxManage to disconnect the network?
Would this work for you as well?

8.7.2. Networking settings
The following networking settings are available through VBoxManage modifyvm:

--cableconnected<1-N> on|off: This allows you to temporarily disconnect a virtual network interface, as if a network cable had been pulled from a real network card. This might be useful for resetting certain software components in the VM.