Page 1 of 1
Preventing access to services from guest to host in NAT mode
Posted: 18. Jun 2011, 22:59
by utvikl
I'm running an untrustworthy guest on a host and wonder how I can prevent access to services on the host from the guest when I'm running in NAT network mode.
The guest seems to have full access to my host, going straight through the firewall.
There is no vbox interface on my host. I want the guest to have access to the internet through the host, but not access to services on the host itself.
Is this possible to achieve?
Re: Preventing access to services from guest to host in NAT mode
Posted: 18. Jun 2011, 23:12
by Perryg
The guest seems to have full access to my host, going straight through the firewall.
Can you explain why you think this, excluding the firewall that is since the hosts firewall should not effect the guests network connection?
Re: Preventing access to services from guest to host in NAT mode
Posted: 18. Jun 2011, 23:40
by Sasquatch
I'm guessing that with NAT networking, all traffic from the Guest to the Host is seen as originating from localhost. This does not trigger the firewall rules. To get the Guest to go through the firewall first means changing the network settings. This can either be through Bridged, making the VM appear as a separate machine on the network, or set up a NAT environment on the Host using the Host-Only adapter and routing software of some kind. Build-in Internet Sharing can be used, but the VB DHCP has to be turned off for it to work properly.
You then set up the firewall accordingly. Since you use Windows XP as Host, I suggest using a third party firewall to have better control and more options. The default Windows one is quite limited in functionality.
Re: Preventing access to services from guest to host in NAT mode
Posted: 19. Jun 2011, 01:20
by utvikl
Sasquatch wrote:I'm guessing that with NAT networking, all traffic from the Guest to the Host is seen as originating from localhost. This does not trigger the firewall rules. To get the Guest to go through the firewall first means changing the network settings. This can either be through Bridged, making the VM appear as a separate machine on the network, or set up a NAT environment on the Host using the Host-Only adapter and routing software of some kind. Build-in Internet Sharing can be used, but the VB DHCP has to be turned off for it to work properly....
I guess this is the case and the NAT masquerading seems to be done in software and not by configuring a separate interface. It's not possible to init connections from host to guest as VB doesn't configure the route from the host to guest. The opposite way is, as you say, probably viewed as inited from the host by the host (which I didn't expect).
Will do as you suggest, using a host-only adapter and configure the routing manually unless someone knows how I can configure NAT routing over a separate vb network interface on the host. Thank you!
by the way, not using win xp host, but using linux host (updated my profile
