QEMU: How to disable guests access to public internet but preserve their access to local (samba) network drive?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.
All guests receive their network via QEMU standard bridge virbr0.
My question now is:
How can I disable access to public internet for all guests without blocking their access to the Samba network drive?
networking virtual-machine samba qemu shared-folders
asked Jan 22 at 14:25
Dave
300113
add a comment |Â
up vote
0
down vote
favorite
I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.
All guests receive their network via QEMU standard bridge virbr0.
My question now is:
How can I disable access to public internet for all guests without blocking their access to the Samba network drive?
networking virtual-machine samba qemu shared-folders
asked Jan 22 at 14:25
Dave
300113
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
1
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to theSambashared files. In this way you don't have to break your head with firewall rules.
– k.Cyborg
Jan 22 at 14:55
1
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.
All guests receive their network via QEMU standard bridge virbr0.
My question now is:
How can I disable access to public internet for all guests without blocking their access to the Samba network drive?
networking virtual-machine samba qemu shared-folders
asked Jan 22 at 14:25
Dave
300113
I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.
All guests receive their network via QEMU standard bridge virbr0.
My question now is:
How can I disable access to public internet for all guests without blocking their access to the Samba network drive?
networking virtual-machine samba qemu shared-folders
asked Jan 22 at 14:25
Dave
300113
edited Apr 29 at 7:04
asked Jan 22 at 14:25
Dave
300113
asked Jan 22 at 14:25
Dave
300113
asked Jan 22 at 14:25
Dave
300113
300113
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
1
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to theSambashared files. In this way you don't have to break your head with firewall rules.
– k.Cyborg
Jan 22 at 14:55
1
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33
add a comment |Â
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
1
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to theSambashared files. In this way you don't have to break your head with firewall rules.
– k.Cyborg
Jan 22 at 14:55
1
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
1
1
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the
Samba shared files. In this way you don't have to break your head with firewall rules.– k.Cyborg
Jan 22 at 14:55
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the
Samba shared files. In this way you don't have to break your head with firewall rules.– k.Cyborg
Jan 22 at 14:55
1
1
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Hope this helps.
answered Feb 12 at 18:27
LotoLo
383113
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Hope this helps.
answered Feb 12 at 18:27
LotoLo
383113
add a comment |Â
up vote
1
down vote
accepted
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Hope this helps.
answered Feb 12 at 18:27
LotoLo
383113
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Hope this helps.
answered Feb 12 at 18:27
LotoLo
383113
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules).
So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine.
If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Hope this helps.
answered Feb 12 at 18:27
LotoLo
383113
answered Feb 12 at 18:27
LotoLo
383113
answered Feb 12 at 18:27
LotoLo
383113
answered Feb 12 at 18:27
LotoLo
383113
383113
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f418871%2fqemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-access%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Have you thought of a firewall rule?
– Raman Sailopal
Jan 22 at 14:44
1
I think you're asking to do with QEMU/KVM? I don't work with this, I only have virtual machines in Virtualbox, in this software I configure two network interfaces for each virtual machine, one for the network where I configure the gateway (you can only have one gateway per machine) and the other network where I'm posting the repos (without a gateway). If you don't configure a gateway you don't have a way to reach the "public internet" and still you have access to the
Sambashared files. In this way you don't have to break your head with firewall rules.– k.Cyborg
Jan 22 at 14:55
1
For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
– Anthony Geoghegan
Jan 22 at 23:53
@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
– Dave
Jan 24 at 16:29
Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
– k.Cyborg
Jan 24 at 16:33