qemu guest is bypassing host's firewall

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I've got a Ubuntu host running several virtual machines using qemu-kvm.



Every guest should use our local DNS server, so I blocked outgoing DNS requests using ufw on the host machine:



sudo ufw deny out dns


It's working on the host fine and something like this won't work:



dig stackexchange.com @8.8.4.4


However from guests, everyone can use any DNS servers they like. Actually I can see the packets going through the host to 8.8.4.4 without being blocked by host and the response being received by the guests.



The guests are using NAT as their network configuration, and I'm wondering is this how NAT works or I'm missing something else here?






dns virtual-machine firewall qemu nat







share|improve this question

















  • 2




    ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
    – Michael Hampton
    Aug 28 at 19:16







  • 1




    Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
    – dirkt
    Aug 29 at 5:42














up vote
1
down vote

favorite












I've got a Ubuntu host running several virtual machines using qemu-kvm.



Every guest should use our local DNS server, so I blocked outgoing DNS requests using ufw on the host machine:



sudo ufw deny out dns


It's working on the host fine and something like this won't work:



dig stackexchange.com @8.8.4.4


However from guests, everyone can use any DNS servers they like. Actually I can see the packets going through the host to 8.8.4.4 without being blocked by host and the response being received by the guests.



The guests are using NAT as their network configuration, and I'm wondering is this how NAT works or I'm missing something else here?






dns virtual-machine firewall qemu nat







share|improve this question

















  • 2




    ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
    – Michael Hampton
    Aug 28 at 19:16







  • 1




    Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
    – dirkt
    Aug 29 at 5:42












up vote
1
down vote

favorite









up vote
1
down vote

favorite











I've got a Ubuntu host running several virtual machines using qemu-kvm.



Every guest should use our local DNS server, so I blocked outgoing DNS requests using ufw on the host machine:



sudo ufw deny out dns


It's working on the host fine and something like this won't work:



dig stackexchange.com @8.8.4.4


However from guests, everyone can use any DNS servers they like. Actually I can see the packets going through the host to 8.8.4.4 without being blocked by host and the response being received by the guests.



The guests are using NAT as their network configuration, and I'm wondering is this how NAT works or I'm missing something else here?






dns virtual-machine firewall qemu nat







share|improve this question













I've got a Ubuntu host running several virtual machines using qemu-kvm.



Every guest should use our local DNS server, so I blocked outgoing DNS requests using ufw on the host machine:



sudo ufw deny out dns


It's working on the host fine and something like this won't work:



dig stackexchange.com @8.8.4.4


However from guests, everyone can use any DNS servers they like. Actually I can see the packets going through the host to 8.8.4.4 without being blocked by host and the response being received by the guests.



The guests are using NAT as their network configuration, and I'm wondering is this how NAT works or I'm missing something else here?






dns virtual-machine firewall qemu nat




dns virtual-machine firewall qemu nat






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Aug 28 at 17:16









Ravexina

962719




962719







  • 2




    ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
    – Michael Hampton
    Aug 28 at 19:16







  • 1




    Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
    – dirkt
    Aug 29 at 5:42












  • 2




    ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
    – Michael Hampton
    Aug 28 at 19:16







  • 1




    Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
    – dirkt
    Aug 29 at 5:42







2




2




ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
– Michael Hampton
Aug 28 at 19:16





ufw deny applies only to locally originating or terminating traffic, not forwarded traffic such as to your VMs. You probably need a different firewall manager, other than ufw. You also should be using virt-manager instead of manually creating VMs. Libvirt has its own network filter which can block such traffic.
– Michael Hampton
Aug 28 at 19:16





1




1




Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
– dirkt
Aug 29 at 5:42




Depending on how you configured networking with with qemu-kvm, packets may or may not get forwarded by the host, and if they are not forwarded, they won't go through the iptables FORWARD chain and can't be filtered. So make sure you get a tun/tap interface in the host for each VM, setup the host to forward packets (and masquerade if necessary), and then you can add the correct filtering rules (with iptables if ufw can't do that).
– dirkt
Aug 29 at 5:42















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465350%2fqemu-guest-is-bypassing-hosts-firewall%23new-answer', 'question_page');

);

Post as a guest






















active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes















 

draft saved


draft discarded















































 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f465350%2fqemu-guest-is-bypassing-hosts-firewall%23new-answer', 'question_page');

);

Post as a guest
































































-

Popular posts from this blog

Peggy Mitchell

Image
EastEnders character This article is about the soap opera character. For the British tennis player, see Peggy Michell. For the author, see Margaret Mitchell. Peggy Mitchell Barbara Windsor as Peggy Mitchell (2008) EastEnders character Portrayed by Jo Warne (1991) Barbara Windsor (1994–2016) Duration 1991, 1994–2010, 2013–2016 First appearance Episode 650 30 April 1991  ( 1991-04-30 ) Last appearance Episode 5286 17 May 2016  ( 2016-05-17 ) (appearance) Episode 5287 19 May 2016 (voiceover) Introduced by Michael Ferguson (1991) Barbara Emile (1994) Louise Berridge (2004) Kate Harwood (2005) Lorraine Newman (2013) Dominic Treadwell-Collins (2014) Spin-off appearances The Mitchells - Naked Truths (1998) Classification Former; regular Profile Other names Peggy Butcher Occupation Barmaid Businesswoman Pub landlady Jo Warne as Peggy Mitchell (1991) Family Family Mitchell Father Jack Martin Mother Lily Martin Sisters Aunt ...
Read more

Palaiologos

Image
Palaiologos Παλαιολόγος Palaeologus, Palaeologue Imperial Family Double-headed eagle with the family cypher Country Byzantine Empire, Duchy of Montferrat (remaining lineage after Empire annexed by Ottomans) Founded 11th century  ( 11th century ) Founder Nikephoros Palaiologos (first known) Final ruler Constantine XI Palaiologos (Byzantine Empire) Margaret Paleologa (Montferrat) Titles Byzantine Emperor Marquess of Montferrat Style(s) "Augustus" "Basileus" "Autokrator" Traditions Greek Orthodoxy (predominantly) Roman Catholicism (remaining lineage in Montferrat) Dissolution 1533  ( 1533 ) Cadet branches Claimants: House of Kastrioti (defunct) House of Rurik (defunct) Palaiologan dynasty Chronology Michael VIII 1259–1282 with Andronikos II as co-emperor, 1261–1282 Andronikos II 1282–1328 with Michael IX (1294–1320) and Andronikos III (1321–1328) as co-emperors Andronikos III 1328–1341 John...
Read more

The Forum (Inglewood, California)

Image
The Forum "LA Forum" Prairie Ave. façade of The Forum in 2014 Full name The Forum, presented by Chase Former names The Forum (1967–1988) Great Western Forum (1988–2003) Address 3900 W. Manchester Blvd Location Inglewood, California Coordinates Coordinates: 33°57′29″N 118°20′31″W  /  33.95806°N 118.34194°W  / 33.95806; -118.34194 Public transit     Downtown Inglewood station Owner The Madison Square Garden Company Operator MSG Entertainment Seating type Reserved Capacity 17,500 Half-bowl: 8,000 Construction Broke ground July 1, 1966  ( 1966-07-01 ) Opened December 30, 1967  ( 1967-12-30 ) Renovated 1988, 2012–2014 Construction cost $16 million Renovation: 2014: $76.5 million Architect Charles Luckman Associates (original) Brisbin Brook Beynon (renovation) Structural engineer Johnson & Nielsen Associates (original) Severud Associates (renovation) Genera...
Read more