Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




79 posts

Master Geek
+1 received by user: 6


# 214423 10-May-2017 20:16
Send private message

I'm a bit of a techy but not where networks are concerned, so any help would be appreciated as I've searched in vain for an answer, both here and the Net in general.

 

I have a Linux system running in a VM (VirtualBox) and, for testing purposes, I'd like to block access to the Internet but not to the internal network, from that VM. I have an NF4V router. I've tried various firewall and parental control settings but nothing seems to work. The NF4V manual really just lists the actual interface screens with very little extra information, and their FAQs don't cover what I'm trying to do.

 

Any ideas?


Filter this topic showing only the reply marked as answer Create new topic
Mr Snotty
8726 posts

Uber Geek
+1 received by user: 4626

Moderator
Trusted
Lifetime subscriber

  # 1779303 10-May-2017 20:20
4 people support this post
Send private message

Remove the gateway from the VM or manually set an IP without specifying a gateway address.





3202 posts

Uber Geek
+1 received by user: 420


  # 1779307 10-May-2017 20:28
Send private message

^^ Gateway is that

 

'Where do I sent packets that aren't from the local Subnet so it may be able to see if it can send it to the right destination?'

 

 

 

Consider it a bridge from local to non local traffic. Remove it, and it'll only know how to handle local


 
 
 
 




79 posts

Master Geek
+1 received by user: 6


  # 1779691 11-May-2017 15:03
Send private message

michaelmurfy:

 

Remove the gateway from the VM or manually set an IP without specifying a gateway address.

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.


588 posts

Ultimate Geek
+1 received by user: 188
Inactive user


  # 1779705 11-May-2017 15:33
Send private message

sofistek:

 

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

 

 

In what way did it not work?

 

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

 

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.


488 posts

Ultimate Geek
+1 received by user: 182

Subscriber

  # 1779743 11-May-2017 16:36
One person supports this post
Send private message

solutionz:

 

sofistek:

 

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

 

 

In what way did it not work?

 

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

 

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.

 

 

True for VirtualBox

 

By default VirtualBox will use a NAT based network setup. But it can be changed to Bridge, then the VM will get its IP address from your router, so any rules you setup in your router should work.




79 posts

Master Geek
+1 received by user: 6


  # 1779825 11-May-2017 19:09
Send private message

Thanks solutionz and djtOtago, though I'd already switched the network adapter to Bridged. Maybe the MAC address isn't getting through to the router for parental control. A firewall rule should work, though, as it's IP based, rather than MAC address based. But I've really got little idea how to set this up; trying a couple of things without success. So what should the Firewall settings be and what would the rule look like (for the NF4V, I have to add a Firewall and then add rules to the firewall)?


4066 posts

Uber Geek
+1 received by user: 1763

Subscriber

  # 1781763 13-May-2017 20:03
Send private message

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

 

where x is the machine you want to block and y is your routers address.


 
 
 
 




79 posts

Master Geek
+1 received by user: 6


  # 1781802 13-May-2017 22:41
Send private message

chevrolux:

 

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

 

where x is the machine you want to block and y is your routers address.

 

 

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?


919 posts

Ultimate Geek
+1 received by user: 225

Subscriber

  # 1781842 14-May-2017 09:09
Send private message

sofistek:

 

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?

 

 

I don't have an NF4V to find the exact setting for you but if it's iptables based underneath you don't specify a destination address and it will assume you're blocking everything from that source. If the UI wants a destination address you could try "0.0.0.0". Traffic from that VM won't hit the firewall/gateway if it's connecting to other machines on your network so it will still allow internal traffic.


4066 posts

Uber Geek
+1 received by user: 1763

Subscriber

  # 1781852 14-May-2017 10:32
One person supports this post
Send private message

Well the destination would be the LAN IP address of the router. As that is what your internal machines will have set as a gateway (and probably for DNS too).

 

Most consumer grades would employ a "drop all" rule of some description at the end of their firewall setups hence the need for "permit" or "deny". I am a bit too used to Mikrotik (which is IP tables based) so you start with a clean slate a build on top of that.

 

Not sure how netcomm might do it... but with IP tables the three main chains you look at are input, forward and output:

 

Input - packets coming from an interface destined for the router
Forward - packets coming from one interface and destined for a another interface
Output - packets from the router destined for an interface

 

So in your case a rule on the input chain would be able to stop clients hitting the router. ie src 192.168.1.33 > dst 192.168.1.1 gets dropped 




79 posts

Master Geek
+1 received by user: 6


  # 1782717 15-May-2017 18:31
Send private message

Thanks all but I'm still mystified by the settings. If anyone would like to have a go, here is what the NF4V wants for setting up a firewall:

 

Firstly, a "firewall" needs to be created and this has the following fields:

 

Name
Interface (LAN, WAN, WAN/LAN, ETH WAN/ppp0.1, or various eth<n>.<n> and wln0.<n> settings)
Type (In or Out)
Action (Permit or Drop)

 

Then, after creating a "firewall", rules for the firewall can be created. A rule includes the following fields (too many to list them all):

 

Enabled (set or unset)
Protocol (presumably, TCP, though UDP andd ICMP are other options)
Action (Permit, Drop or Reject) - for Reject, another field is enabled (various icmp- codes or "tcp-reset")
Various TCP flags, either set or unset: SYN, ACK, FIN, RST, URG, PSH
origIPAddress, origMask/prefixLength, origStartPort, origEndPort
destIPAddress, destMask/prefixLength, destStartPort, destEndPort

 

I've only managed, trying all sorts of values, including those mentioned here, to exclude all intranet IP addresses from accessing the Internet or none. I just want to exclude one LAN address, 192.168.1.5, for example. What firewall settings are needed and what firewall rule settings are needed. Anyone know?


Filter this topic showing only the reply marked as answer Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18


E-scooter share scheme launches in Wellington
Posted 17-Jun-2019 12:34


Anyone can broadcast with Kordia Pop Up TV
Posted 13-Jun-2019 10:51


Volvo and Uber present production vehicle ready for self-driving
Posted 13-Jun-2019 10:47


100,000 customers connected to fibre broadband network through Enable
Posted 13-Jun-2019 10:35



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.