I'm running an untrustworthy guest on a host and wonder how I can prevent access to services on the host from the guest when I'm running in NAT network mode.
The guest seems to have full access to my host, going straight through the firewall.
There is no vbox interface on my host. I want the guest to have access to the internet through the host, but not access to services on the host itself.
Is this possible to achieve?
Preventing access to services from guest to host in NAT mode
-
Perryg
- Site Moderator
- Posts: 34369
- Joined: 6. Sep 2008, 22:55
- Primary OS: Linux other
- VBox Version: OSE self-compiled
- Guest OSses: *NIX
Re: Preventing access to services from guest to host in NAT mode
Can you explain why you think this, excluding the firewall that is since the hosts firewall should not effect the guests network connection?The guest seems to have full access to my host, going straight through the firewall.
-
Sasquatch
- Volunteer
- Posts: 17798
- Joined: 17. Mar 2008, 13:41
- Primary OS: Debian other
- VBox Version: VirtualBox+Oracle ExtPack
- Guest OSses: Windows XP, Windows 7, Linux
- Location: /dev/random
Re: Preventing access to services from guest to host in NAT mode
I'm guessing that with NAT networking, all traffic from the Guest to the Host is seen as originating from localhost. This does not trigger the firewall rules. To get the Guest to go through the firewall first means changing the network settings. This can either be through Bridged, making the VM appear as a separate machine on the network, or set up a NAT environment on the Host using the Host-Only adapter and routing software of some kind. Build-in Internet Sharing can be used, but the VB DHCP has to be turned off for it to work properly.
You then set up the firewall accordingly. Since you use Windows XP as Host, I suggest using a third party firewall to have better control and more options. The default Windows one is quite limited in functionality.
You then set up the firewall accordingly. Since you use Windows XP as Host, I suggest using a third party firewall to have better control and more options. The default Windows one is quite limited in functionality.
Read the Forum Posting Guide before opening a topic.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org
Retired from this Forum since OSSO introduction.
VirtualBox FAQ: Check this before asking questions.
Online User Manual: A must read if you want to know what we're talking about.
Howto: Install Linux Guest Additions
Howto: Use Shared Folders on Linux Guest
See the Tutorials and FAQ section at the top of the Forum for more guides.
Try searching the forums first with Google and add the site filter for this forum.
E.g. install guest additions site:forums.virtualbox.org
Retired from this Forum since OSSO introduction.
-
utvikl
- Posts: 7
- Joined: 29. Dec 2010, 23:19
- Primary OS: Ubuntu other
- VBox Version: OSE Debian
- Guest OSses: linux
Re: Preventing access to services from guest to host in NAT mode
I guess this is the case and the NAT masquerading seems to be done in software and not by configuring a separate interface. It's not possible to init connections from host to guest as VB doesn't configure the route from the host to guest. The opposite way is, as you say, probably viewed as inited from the host by the host (which I didn't expect).Sasquatch wrote:I'm guessing that with NAT networking, all traffic from the Guest to the Host is seen as originating from localhost. This does not trigger the firewall rules. To get the Guest to go through the firewall first means changing the network settings. This can either be through Bridged, making the VM appear as a separate machine on the network, or set up a NAT environment on the Host using the Host-Only adapter and routing software of some kind. Build-in Internet Sharing can be used, but the VB DHCP has to be turned off for it to work properly....
Will do as you suggest, using a host-only adapter and configure the routing manually unless someone knows how I can configure NAT routing over a separate vb network interface on the host. Thank you!
by the way, not using win xp host, but using linux host (updated my profile
