virtualbox.org

End user forums for VirtualBox
https://forums.virtualbox.org/

I need to block some ports (in/out) on the GUEST.

https://forums.virtualbox.org/viewtopic.php?t=62148

Page 1 of 1

I need to block some ports (in/out) on the GUEST.

Posted: 14. Jun 2014, 14:22
by flako
Hello
I'm using HOST: VirtualBox-4. 3.12 y SLES11SP3. GUEST: OpenServer 5.0.7
I need to block some ports (in/out) on the GUEST.
Not available in OpenServer a firewall, the only option is to do it from the HOST.

What is the simplest way to block ports to a guest? with VBoxManage what can I do?

I am now using a direct Bridged the HOST NIC (eth0). But I'm not sure if I iptables is useful in this scheme, you should define a virtual nic and bridged with brctl?

Re: I need to block some ports (in/out) on the GUEST.

Posted: 14. Jun 2014, 14:43
by noteirak
That depends in the network mode choosen :
- Internal (for sake of being complete) : Only the guest can block.
- NAT : Virtualbox only forwards defined port, so by default everything is blocked
- NAT Network : Same as NAT
- Host-Only : Virtualbox cannot block, need to use the firewall of the host
- Bridge : Only the guest can block. The host or Virtualbox do not even see the traffic.

After, you can always hack around with bridges on the host & so on, but that's not a Virtualbox issue then.

Re: I need to block some ports (in/out) on the GUEST.

Posted: 14. Jun 2014, 16:31
by flako
noteirak wrote:That depends in the network mode choosen :
- Internal (for sake of being complete) : Only the guest can block.
- NAT : Virtualbox only forwards defined port, so by default everything is blocked
- NAT Network : Same as NAT
- Host-Only : Virtualbox cannot block, need to use the firewall of the host
- Bridge : Only the guest can block. The host or Virtualbox do not even see the traffic.

After, you can always hack around with bridges on the host & so on, but that's not a Virtualbox issue then.

thanks
I'll try to make a native NAT or bridges.

Re: I need to block some ports (in/out) on the GUEST.

Posted: 27. Jun 2014, 17:24
by flako
Thanks noteirak
Solve it with a TAP interface (using nat did not taste).
For further reading, we solve it with:



Code: Select all

# brctl show
bridge name    bridge id        STP enabled    interfaces
      br0        8000.ca6887baa995    no                  eth0
                                                     tap0


iptables -F FORWARD
iptables -P FORWARD ACCEPT
iptables -A FORWARD -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -p tcp -s 0/0 -d xx.1x.1x.1xx  --dport 22 -j DROP    
iptables -A FORWARD -p tcp -s xx.1x.1x.1xx -d 0/0  --dport 22 -j DROP     
iptables -A FORWARD -p udp -s 0/0 -d xx.1x.1x.1xx  --dport 488 -j DROP  
iptables -A FORWARD -p udp -s xx.1x.1x.1xx -d 0/0  --dport 488 -j DROP
All times are UTC+02:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited