Restricting/blocking Internet access from a system on the LAN (in a VM)

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Restricting/blocking Internet access from a system on the LAN (in a VM)

sofistek

95 posts

Master Geek
+1 received by user: 8

#214423 10-May-2017 20:16

I'm a bit of a techy but not where networks are concerned, so any help would be appreciated as I've searched in vain for an answer, both here and the Net in general.

I have a Linux system running in a VM (VirtualBox) and, for testing purposes, I'd like to block access to the Internet but not to the internal network, from that VM. I have an NF4V router. I've tried various firewall and parental control settings but nothing seems to work. The NF4V manual really just lists the actual interface screens with very little extra information, and their FAQs don't cover what I'm trying to do.

Any ideas?

Tony

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1779303 10-May-2017 20:20

Remove the gateway from the VM or manually set an IP without specifying a gateway address.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#1779307 10-May-2017 20:28

^^ Gateway is that

'Where do I sent packets that aren't from the local Subnet so it may be able to see if it can send it to the right destination?'

Consider it a bridge from local to non local traffic. Remove it, and it'll only know how to handle local

sofistek

95 posts

Master Geek
+1 received by user: 8

#1779691 11-May-2017 15:03

michaelmurfy:

Remove the gateway from the VM or manually set an IP without specifying a gateway address.

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

Tony

solutionz

589 posts

Ultimate Geek
+1 received by user: 164
Inactive user

#1779705 11-May-2017 15:33

sofistek:

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

In what way did it not work?

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.

djtOtago

1181 posts

Uber Geek
+1 received by user: 605

#1779743 11-May-2017 16:36

solutionz:

sofistek:

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

In what way did it not work?

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.

True for VirtualBox

By default VirtualBox will use a NAT based network setup. But it can be changed to Bridge, then the VM will get its IP address from your router, so any rules you setup in your router should work.

sofistek

95 posts

Master Geek
+1 received by user: 8

#1779825 11-May-2017 19:09

Thanks solutionz and djtOtago, though I'd already switched the network adapter to Bridged. Maybe the MAC address isn't getting through to the router for parental control. A firewall rule should work, though, as it's IP based, rather than MAC address based. But I've really got little idea how to set this up; trying a couple of things without success. So what should the Firewall settings be and what would the rule look like (for the NF4V, I have to add a Firewall and then add rules to the firewall)?

Tony

Mighty Ape

Shop now at Mighty Ape (affiliate link).

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1781763 13-May-2017 20:03

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

where x is the machine you want to block and y is your routers address.

sofistek

95 posts

Master Geek
+1 received by user: 8

#1781802 13-May-2017 22:41

chevrolux:

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

where x is the machine you want to block and y is your routers address.

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?

Tony

meesham

973 posts

Ultimate Geek
+1 received by user: 267

#1781842 14-May-2017 09:09

sofistek:

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?

I don't have an NF4V to find the exact setting for you but if it's iptables based underneath you don't specify a destination address and it will assume you're blocking everything from that source. If the UI wants a destination address you could try "0.0.0.0". Traffic from that VM won't hit the firewall/gateway if it's connecting to other machines on your network so it will still allow internal traffic.

chevrolux

4962 posts

Uber Geek
+1 received by user: 2638
Inactive user

#1781852 14-May-2017 10:32

Well the destination would be the LAN IP address of the router. As that is what your internal machines will have set as a gateway (and probably for DNS too).

Most consumer grades would employ a "drop all" rule of some description at the end of their firewall setups hence the need for "permit" or "deny". I am a bit too used to Mikrotik (which is IP tables based) so you start with a clean slate a build on top of that.

Not sure how netcomm might do it... but with IP tables the three main chains you look at are input, forward and output:

Input - packets coming from an interface destined for the router
Forward - packets coming from one interface and destined for a another interface
Output - packets from the router destined for an interface

So in your case a rule on the input chain would be able to stop clients hitting the router. ie src 192.168.1.33 > dst 192.168.1.1 gets dropped

sofistek

95 posts

Master Geek
+1 received by user: 8

#1782717 15-May-2017 18:31

Thanks all but I'm still mystified by the settings. If anyone would like to have a go, here is what the NF4V wants for setting up a firewall:

Firstly, a "firewall" needs to be created and this has the following fields:

Name
Interface (LAN, WAN, WAN/LAN, ETH WAN/ppp0.1, or various eth<n>.<n> and wln0.<n> settings)
Type (In or Out)
Action (Permit or Drop)

Then, after creating a "firewall", rules for the firewall can be created. A rule includes the following fields (too many to list them all):

Enabled (set or unset)
Protocol (presumably, TCP, though UDP andd ICMP are other options)
Action (Permit, Drop or Reject) - for Reject, another field is enabled (various icmp- codes or "tcp-reset")
Various TCP flags, either set or unset: SYN, ACK, FIN, RST, URG, PSH
origIPAddress, origMask/prefixLength, origStartPort, origEndPort
destIPAddress, destMask/prefixLength, destStartPort, destEndPort

I've only managed, trying all sorts of values, including those mentioned here, to exclude all intranet IP addresses from accessing the Internet or none. I just want to exclude one LAN address, 192.168.1.5, for example. What firewall settings are needed and what firewall rule settings are needed. Anyone know?

Tony