0

I want to ensure that the host cannot access the internet. While internet traffic is free to travel to and from the vm guest, and more importantly I want to make sure the internet traffic cannot reach the host OS. I'm guessing that the bulk of my question here is what iptables rules are needed to make this happen?

Currently I boot into another partition on the host hard disk whenever I connect to the internet. I unmount my data partition and shutdown many services. I would like to do the same thing here instead with a virtual machine for convenience.

Is it possible to completely isolate the host OS from the internet traffic going to and from the vm guest? Or am I better off staying with my current practice of rebooting into the other partition when I need to get online.

Improve this question

1 Answer 1

Reset to default
0

Blocking Host from network (or Internet) access:

  1. Enable Bridged adapter in configuration of your VM. This will allow your Guest to connect to network independently from your Host.
  2. Start iptables on Host with the following configuration:

:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

-A INPUT -i lo -j ACCEPT
  1. To block only Internet access while keeping local network (let's say 192.168.0.0/24) extend the iptables rules with:

-A INPUT -i {your-adapter} -s 192.168.0.0/24 -j ACCEPT
-A OUTPUT -o {your-adapter} -d 192.168.0.0/24 -j ACCEPT
  1. Make sure iptables is enabled as a service on your Host. You can use, for example, package iptables-persistent to provide you with service script which can be enabled in systemd / initscripts.

Isolating Host from internet traffic going to the Guest:

With Bridged adapter the traffic is isolated in userspace, it doesn't pass through Host's iptables either. However the Guest still runs INSIDE the Host OS. Attacker with root access will always be able to monitor and spoof the data which Guest sends or receives. There is no full isolation with VirtualBox.

Improve this answer
2
  • Thank you very much Merek for your thorough answer. I have two follow up questions. Is there a better tool than virtualbox that would provide full isolation? Also "Attacker with root access" would this be root access on the guest? If not and you mean the host it seems you have already lost the battle.
    – nomadicME
    Commented Jun 21, 2017 at 20:12
  • @nomadicME yes i meant the host, but the battle is naturally lost for both cases. Full separation from host isn't possible as far as i'm aware. You can, however, fully isolate two guests - for example when running both of the operating systems in a Type 1 hypervisor like Xen or WMware (VirtualBox is type2). In this case root access on either of them won't allow attacker to reach the second...
    – Marek Rost
    Commented Jun 21, 2017 at 22:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .