QEMU: How to disable guests access to public internet but preserve their access to local (samba) network drive?
I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).
When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):
$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
This configuration allows the virtual machine to access internet (FORWARD rules). So what you want to do is delete the FORWARD rules:
$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:domain
2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain
3 ACCEPT udp -- anywhere anywhere udp dpt:bootps
4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
2 ACCEPT all -- 192.168.122.0/24 anywhere
3 ACCEPT all -- anywhere anywhere
4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc
$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP
This should actually suffice to block internet access to the virtual machine. If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).
Related videos on Youtube
Dave
Updated on September 18, 2022Comments
-
Dave almost 2 years
I'm using
QEMU/KVM
for virtualization of various machines. For sharing files between the guest systems and the host system I run aSamba
-server on the host which provides a network drive for the guest machines.All guests receive their network via QEMU standard bridge
virbr0
.
My question now is:
How can I disable access to public internet for all guests without blocking their access to the
Samba
network drive?-
Raman Sailopal over 6 yearsHave you thought of a firewall rule?
-
Anthony Geoghegan over 6 yearsFor attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
-
Dave over 6 years@k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
-
k.Cyborg over 6 yearsDon't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
-
Ciro Santilli Путлер Капут 六四事 almost 4 yearsIf you can use 9p, that works with
-nic none
BTW: askubuntu.com/questions/884534/…
-