QEMU: How to disable guests access to public internet but preserve their access to local (samba) network drive?

networking virtual-machine samba qemu shared-folders
5,350

I've recently needed to block internet access to a virtual machine (kvm-qemu + virt-manager).

When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some):

$ iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A FORWARD -i virbr0 -o virbr0 -j ACCEPT
-A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT

This configuration allows the virtual machine to access internet (FORWARD rules). So what you want to do is delete the FORWARD rules:

$ iptables -L --list-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
2    ACCEPT     all  --  192.168.122.0/24     anywhere            
3    ACCEPT     all  --  anywhere             anywhere            
4    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
5    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc

$ iptables -D FORWARD 1
$ iptables -D FORWARD 2
$ iptables -D FORWARD 3
$ iptables -P FORWARD DROP

This should actually suffice to block internet access to the virtual machine. If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).

Share:
5,350

Related videos on Youtube

Dave
Author by

Dave

Updated on September 18, 2022

Comments

  • Dave
    Dave almost 2 years

    I'm using QEMU/KVM for virtualization of various machines. For sharing files between the guest systems and the host system I run a Samba-server on the host which provides a network drive for the guest machines.

    All guests receive their network via QEMU standard bridge virbr0.

    My question now is:

    How can I disable access to public internet for all guests without blocking their access to the Samba network drive?

    • Raman Sailopal
      Raman Sailopal over 6 years
      Have you thought of a firewall rule?
    • Anthony Geoghegan
      Anthony Geoghegan over 6 years
      For attention of other queue reviewers: I'm voting to keep this question open as this is clearly not a request for learning materials. See unix.meta.stackexchange.com/q/3892/22812
    • Dave
      Dave over 6 years
      @k.Cyborg: Thank you very much for this great advice! I will have a try with a second network interface!
    • k.Cyborg
      k.Cyborg over 6 years
      Don't worry about, only let me know if you solve your problem and if you want some ideas...Greetings and thanks for the feedback!
    • Ciro Santilli Путлер Капут 六四事
      Ciro Santilli Путлер Капут 六四事 almost 4 years
      If you can use 9p, that works with -nic none BTW: askubuntu.com/questions/884534/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Share a folder between Linux host and Windows guest VM
Debian 9: How to set up Samba-Exchange between QEMU-Host and QEMU-Guest (Windows)?
How to make my Ubuntu show on a Windows Workgroup
Connecting to a Windows network with ubuntu 16.04 LTS
How do I share a folder on SAMBA?
Samba 3.6 and Samba4
Connection Timeout on Windows Share (Network)
How do I share folders in Xubuntu?
virtio vs e1000 vs rtl8139: what's the difference?
How to bridge networking in this nested virtualization case?