How do I isolate a Windows Virtual Machine in Virtualbox running in Ubuntu
This can be done in VirtualBox.
You must choose a connection which allows use of iptables to control packets. Thus neither NAT nor Bridge will do because they do not create a user-accessible NIC. You should use Host-only Network instead, which creates on the host a user-accessible interface called vboxnet0.
To configure it, File -> Preferences -> Network -> Host only Network -> Plus sign to create it, then Screwdriver -> DHCP Server, enable DHCP Server. Save settings, start the VM.
Now, on the guest you need to set the host as its gateway: default IP for the host is 192.168.56.1. Use Google to find instructions on how to do this on Windows. And, possibly, you may have to set the DNS servers.
On the host, all of these instructions as sudo:
1) Enable IP forwarding:
echo "1" > /proc/sys/net/ipv4/ip_forward
2) Issue the following iptables rules:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -A FORWARD -m iprange --dst-range 192.168.1.2-192.168.1.254 -j DROP
iptables -I FORWARD -m iprange --src-range 192.168.1.2-192.168.1.254 -j DROP
The first rule allows access to the internet of the VM; the second pair bans the VM from accessing the LAN, except of course for you router and broadcast address.
The above rules assume that the host is connected via eth0, that your LAN is 192.168.1.0/24, thar your router and broadcast address are 192.168.1.1 and 192.168.1.255, respectively. If they are not, change them accordingly.
Related videos on Youtube
21 : 07
10 : 40
06 : 44
02 : 50
20 : 45
user277244
Updated on September 18, 2022Comments
-
user277244 over 1 year
I have searched and searched but not found a way to do this. The answers I found said to get a second nic and dedicate that to the windows guest. My host is linux mint 16.
I see how to specify a network adapter for the guest, but how do I make it so the windows guest has internet access but can't get to any other computer on the host's network.
I want to make sure that even if the guest's ip address is manually changed that it can't access the rest of the network. It should only see itself (and maybe the host).
-
user277244 over 10 yearsOk this did not quite work. I see where you are going with this but for some reason the guest has no internet access. I manually set the ip to 192.168.56.101 because the guest did not receive a gateway with dhcp. Also, for dns I tried 192.168.1.1, 192.168.56.1, 8.8.8.8 and none worked. I can't ping out to anywhere, not even the vboxnet0 ip Also, I ran into this problem with your scripts and made the same modification as here: stackoverflow.com/questions/14391035/… Any other ideas?
-
MariusMatutiae over 10 yearsIf the guest did not receive an IP address, it means you did not enable a DHCP server. what is the routing table on the guest? can you ping from guest to host? Viceversa? -
MariusMatutiae over 10 years@xmrkite With a little modification which I inserted in my answer (thanks for pointing this out to me) this configuration works flawlessly on my system.