Jump to content
Not connected, Your IP: 3.95.23.35
nolehce

Securing Virtual Machines

Recommended Posts

I thought I would pose this question here as I cannot find a clean answer searching online. I run AirVPN via my Tomato router and it works great. I have a computer on my LAN that serves as a host for a VirtualBox guest VM that runs my torrent client. Both the host computer and guest VM run Windows 7. I would like to allow the guest VM to only have Internet access and have no access at all to either the host computer or the rest of the LAN.

 

Does anyone know how I would do that?

 

Much thanks!

Share this post


Link to post

Which virtualization software do you use?


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs helps us read your thread.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

Instead of writing me a personal mail, consider contacting me via XMPP at gigan3rd@xmpp.airvpn.org or join the lounge@conference.xmpp.airvpn.org. I might read the mail too late whereas I'm always available on XMPP

Share this post


Link to post

Your question seems ambiguous as to what you mean by "internet access".  Is that via the Openvpn connection to Airvpn.org, or is that via your ISP?

 

I will make the assumption that you want to limit to access via Airvpn because I do something similar.  My virtual machine is limited in its ability to connect to the local network (it can only accept connections from certain machines in the network) and it can only access the internet to AirVPN.  All of these restrictions are set in place not in the VM, but the router.  If Airvpn drops, the VM has no access to the internet.

 

How?  I would use your router that runs Tomato.   You will have to divide your network so that the VM has to route everything through your router to get anywhere.    Once it can't get anywhere without having its packets routed, then you can use your router to set rules.  Allow and block based upon MAC address and IP address and you should be able to isolate your VM to your desires.

 

The whole concept is that your VM is on a network that *has* to have the router make the decisions on what to do with the traffic.  That means if your router address is 192.168.1.1 with a netmask of 255.255.255.0, your VM can not have a 192.168.1.X address with a netmask of 255.255.255.0.  If this is a new concept for you, start reading on basic routing, subnetting and perhaps 802.11q vlans.  Your Tomato router does vlans, it could also be helpful.

Share this post


Link to post

Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router.

 

What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that.

Share this post


Link to post

Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router.

 

What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that.

 

Hello,

 

if the VM is attached to the host in "bridge mode", you can run a firewall in the VM dropping outgoing packets to any local address except your router address and (if you need DHCP) 255.255.255.255.

 

If the VM is attached to the host via NAT, in addition to the above option you can alternatively run a firewall on the host dropping packets from the VM to any local address except the router and the host machine address.

 

Kind regards

Share this post


Link to post

 

Yes I already have that setup. Tomato router is locked down to AirVPN using iptables rules. Once the connection to AirVPN terminates so does Internet access. That applies to all the machines on the network since all are behind the router.

 

What I would like to do differently on the VM is prevent the VM from accessing the local network. The VM has Internet access (AirVPN via Tomato router) I just want to prevent the VM from accessing other computers on the LAN. I'm looking for the most secure, expedient way of doing that.

 

Hello,

 

if the VM is attached to the host in "bridge mode", you can run a firewall in the VM dropping outgoing packets to any local address except your router address and (if you need DHCP) 255.255.255.255.

 

If the VM is attached to the host via NAT, in addition to the above option you can alternatively run a firewall on the host dropping packets from the VM to any local address except the router and the host machine address.

 

Kind regards

 

Excellent, thank you for the reply! I did not want to control this via a firewall within the VM itself, as the reason why I want to secure the VM from the local network is in case the VM gets hacked. I will be using the VM to test suspect programs, the VM needs Internet access but needs to be barred from accessing either the Host PC or the LAN.

 

So I guess that leaves me with attaching the VM as NAT and using Comodo firewall on the host as you indicated above. I was hoping to somehow do this on the Tomato router with iptables, but this should work just fine. I will muck around with Comodo and figure that part out, and report back once I know it is working or not.

Share this post


Link to post

So I guess that leaves me with attaching the VM as NAT and using Comodo firewall on the host as you indicated above. I was hoping to somehow do this on the Tomato router with iptables, but this should work just fine. I will muck around with Comodo and figure that part out, and report back once I know it is working or not.

 

Hello!

 

With the VM attached to the host via NAT and the host machine running Comodo and OpenVPN running on the Tomato router there's an ultra-fast solution (with a side effect, though).

 

You can just use Application Rules for the virtualization software process (for example virtualbox.exe) to block any packet to devices in your local network (except the router, of course).

 

The side effect is that this block will affect all the VMs you run in the host through the same virtualization software process.

 

Kind regards

Share this post


Link to post

That works for me! I only use this one VM anyhow. If I ever needed to use another VM I could disable the rule, as I would never run this VM at the same time anyway.

 

I have set this up as suggested and it works fine, access to the LAN is now denied on the VM and Internet access works normally. The only thing is, the VM can still ping devices on the LAN. It cannot view their file shares, but it can ping them. If I also block the router address, no more pinging machines on the LAN but of course no more Internet access either.

 

Is there some way to also block pings?

Share this post


Link to post

Also before when I attached the VM as "bridged mode" my AirVPN port forwarding worked fine. But now that I have it attached as "NAT" I get this error when running the AirVPN forwarded port check "Error : 113 - No route to host". But when I check the active connections in Comodo firewall inside the VM I see connections to Vuze peers on that same forwarded port so it definitely appears to be working.... the VM traffic is across AirVPN, and drops when AirVPN drops per iptables, so I know it is not going to the Internet directly.

Share this post


Link to post

Hello!

 

About the ping, probably you have blocked only TCP and/or UDP in the Application Rules. To solve the issue please either block IP, which includes ICMP, or add rules to block ICMP.

 

In order to forward a port to the VM you need to build a DNAT on the router AND forward the port(s) on the host machine virtualization software NAT to the guest. On the host machine just forward the appropriate ports through the relevant virtualization software options, while on Tomato have a look at our guide in the "How-To" section https://airvpn.org/topic/9270-how-to-forward-ports-in-dd-wrt-tomato-with-iptables

 

Kind regards

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...