QEMU: How to disable guests access to public internet but preserve their access to local (samba) network drive?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.



All guests receive their network via QEMU standard bridge virbr0.




My question now is:



How can I disable access to public internet for all guests without blocking their access to the Samba network drive?







share|improve this question






















  • Have you thought of a firewall rule?
    – Raman Sailopal
    Jan 22 at 14:44






  • 1




    I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
    – k.Cyborg
    Jan 22 at 14:55






  • 1




    For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
    – Anthony Geoghegan
    Jan 22 at 23:53











  • @k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
    – Dave
    Jan 24 at 16:29










  • Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
    – k.Cyborg
    Jan 24 at 16:33














up vote
0
down vote

favorite












I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.



All guests receive their network via QEMU standard bridge virbr0.




My question now is:



How can I disable access to public internet for all guests without blocking their access to the Samba network drive?







share|improve this question






















  • Have you thought of a firewall rule?
    – Raman Sailopal
    Jan 22 at 14:44






  • 1




    I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
    – k.Cyborg
    Jan 22 at 14:55






  • 1




    For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
    – Anthony Geoghegan
    Jan 22 at 23:53











  • @k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
    – Dave
    Jan 24 at 16:29










  • Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
    – k.Cyborg
    Jan 24 at 16:33












up vote
0
down vote

favorite









up vote
0
down vote

favorite











I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.



All guests receive their network via QEMU standard bridge virbr0.




My question now is:



How can I disable access to public internet for all guests without blocking their access to the Samba network drive?







share|improve this question














I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.



All guests receive their network via QEMU standard bridge virbr0.




My question now is:



How can I disable access to public internet for all guests without blocking their access to the Samba network drive?









share|improve this question













share|improve this question




share|improve this question








edited Apr 29 at 7:04

























asked Jan 22 at 14:25









Dave

300113




300113











  • Have you thought of a firewall rule?
    – Raman Sailopal
    Jan 22 at 14:44






  • 1




    I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
    – k.Cyborg
    Jan 22 at 14:55






  • 1




    For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
    – Anthony Geoghegan
    Jan 22 at 23:53











  • @k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
    – Dave
    Jan 24 at 16:29










  • Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
    – k.Cyborg
    Jan 24 at 16:33
















  • Have you thought of a firewall rule?
    – Raman Sailopal
    Jan 22 at 14:44






  • 1




    I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
    – k.Cyborg
    Jan 22 at 14:55






  • 1




    For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
    – Anthony Geoghegan
    Jan 22 at 23:53











  • @k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
    – Dave
    Jan 24 at 16:29










  • Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
    – k.Cyborg
    Jan 24 at 16:33















Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44




Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44




1




1




I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
– k.Cyborg
Jan 22 at 14:55




I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the Samba shared files. In this way you don't have to break your head with firewall rules.
– k.Cyborg
Jan 22 at 14:55




1




1




For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53





For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53













@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29




@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29












Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33




Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33










1 Answer
1






active

oldest

votes

















up vote
1
down vote



accepted










I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).



When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):




$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT



This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:



$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc

$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP


This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).



Hope this helps.






share|improve this answer




















    Your Answer







    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: false,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );








     

    draft saved


    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f418871%2fqemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-access%23new-answer', 'question_page');

    );

    Post as a guest






























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    1
    down vote



    accepted










    I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).



    When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):




    $ iptables -S
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
    -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
    -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
    -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
    -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
    -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT



    This configuration allows the virtual machine to access internet (FORWARD rules).
    So what you want to do is delete the FORWARD rules:



    $ iptables -L --list-numbers
    Chain INPUT (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT udp -- anywhere anywhere udp dpt:domain
    2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
    3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
    4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

    Chain FORWARD (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
    2 ACCEPT all -- 192.168.122.0/24 anywhere
    3 ACCEPT all -- anywhere anywhere
    4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
    5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

    Chain OUTPUT (policy ACCEPT)
    num target prot opt source destination
    1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc

    $ iptables -D FORWARD 1
    $ iptables -D FORWARD 2
    $ iptables -D FORWARD 3
    $ iptables -P FORWARD DROP


    This should actually suffice to block internet access to the virtual machine.
    If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).



    Hope this helps.






    share|improve this answer
























      up vote
      1
      down vote



      accepted










      I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).



      When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):




      $ iptables -S
      -P INPUT ACCEPT
      -P FORWARD ACCEPT
      -P OUTPUT ACCEPT
      -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
      -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
      -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
      -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
      -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
      -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
      -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
      -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
      -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
      -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT



      This configuration allows the virtual machine to access internet (FORWARD rules).
      So what you want to do is delete the FORWARD rules:



      $ iptables -L --list-numbers
      Chain INPUT (policy ACCEPT)
      num target prot opt source destination
      1 ACCEPT udp -- anywhere anywhere udp dpt:domain
      2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
      3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
      4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

      Chain FORWARD (policy ACCEPT)
      num target prot opt source destination
      1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
      2 ACCEPT all -- 192.168.122.0/24 anywhere
      3 ACCEPT all -- anywhere anywhere
      4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
      5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

      Chain OUTPUT (policy ACCEPT)
      num target prot opt source destination
      1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc

      $ iptables -D FORWARD 1
      $ iptables -D FORWARD 2
      $ iptables -D FORWARD 3
      $ iptables -P FORWARD DROP


      This should actually suffice to block internet access to the virtual machine.
      If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).



      Hope this helps.






      share|improve this answer






















        up vote
        1
        down vote



        accepted







        up vote
        1
        down vote



        accepted






        I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).



        When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):




        $ iptables -S
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT
        -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
        -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
        -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
        -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
        -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
        -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
        -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
        -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
        -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT



        This configuration allows the virtual machine to access internet (FORWARD rules).
        So what you want to do is delete the FORWARD rules:



        $ iptables -L --list-numbers
        Chain INPUT (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT udp -- anywhere anywhere udp dpt:domain
        2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
        3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
        4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

        Chain FORWARD (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
        2 ACCEPT all -- 192.168.122.0/24 anywhere
        3 ACCEPT all -- anywhere anywhere
        4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
        5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

        Chain OUTPUT (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc

        $ iptables -D FORWARD 1
        $ iptables -D FORWARD 2
        $ iptables -D FORWARD 3
        $ iptables -P FORWARD DROP


        This should actually suffice to block internet access to the virtual machine.
        If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).



        Hope this helps.






        share|improve this answer












        I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).



        When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):




        $ iptables -S
        -P INPUT ACCEPT
        -P FORWARD ACCEPT
        -P OUTPUT ACCEPT
        -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
        -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
        -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
        -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
        -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
        -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
        -A FORWARD -i virbr0 -o virbr0 -j ACCEPT
        -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
        -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
        -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT



        This configuration allows the virtual machine to access internet (FORWARD rules).
        So what you want to do is delete the FORWARD rules:



        $ iptables -L --list-numbers
        Chain INPUT (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT udp -- anywhere anywhere udp dpt:domain
        2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
        3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
        4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps

        Chain FORWARD (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
        2 ACCEPT all -- 192.168.122.0/24 anywhere
        3 ACCEPT all -- anywhere anywhere
        4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
        5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

        Chain OUTPUT (policy ACCEPT)
        num target prot opt source destination
        1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc

        $ iptables -D FORWARD 1
        $ iptables -D FORWARD 2
        $ iptables -D FORWARD 3
        $ iptables -P FORWARD DROP


        This should actually suffice to block internet access to the virtual machine.
        If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).



        Hope this helps.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Feb 12 at 18:27









        LotoLo

        383113




        383113






















             

            draft saved


            draft discarded


























             


            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f418871%2fqemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-access%23new-answer', 'question_page');

            );

            Post as a guest













































































            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?