Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




79 posts

Master Geek


# 214423 10-May-2017 20:16
Send private message

I'm a bit of a techy but not where networks are concerned, so any help would be appreciated as I've searched in vain for an answer, both here and the Net in general.

 

I have a Linux system running in a VM (VirtualBox) and, for testing purposes, I'd like to block access to the Internet but not to the internal network, from that VM. I have an NF4V router. I've tried various firewall and parental control settings but nothing seems to work. The NF4V manual really just lists the actual interface screens with very little extra information, and their FAQs don't cover what I'm trying to do.

 

Any ideas?


Filter this topic showing only the reply marked as answer Create new topic
Mr Snotty
8760 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1779303 10-May-2017 20:20
4 people support this post
Send private message

Remove the gateway from the VM or manually set an IP without specifying a gateway address.





3264 posts

Uber Geek


  # 1779307 10-May-2017 20:28
Send private message

^^ Gateway is that

 

'Where do I sent packets that aren't from the local Subnet so it may be able to see if it can send it to the right destination?'

 

 

 

Consider it a bridge from local to non local traffic. Remove it, and it'll only know how to handle local


 
 
 
 




79 posts

Master Geek


  # 1779691 11-May-2017 15:03
Send private message

michaelmurfy:

 

Remove the gateway from the VM or manually set an IP without specifying a gateway address.

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.


588 posts

Ultimate Geek
Inactive user


  # 1779705 11-May-2017 15:33
Send private message

sofistek:

 

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

 

 

In what way did it not work?

 

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

 

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.


501 posts

Ultimate Geek

Subscriber

  # 1779743 11-May-2017 16:36
One person supports this post
Send private message

solutionz:

 

sofistek:

 

 

 

Thanks. That did the trick as far as achieving what I wanted to achieve but I'd like to know what router settings would do the same thing. For what I wanted to test, I could set the parental controls to block direct Internet access from another machine (not a VM) but doing the same thing for the VM didn't work. Using the VM is easier for me so at least I have a setting that works for the kind of testing I was doing. Thanks, again.

 

 

In what way did it not work?

 

Not sure if this is true for VirtualBox but if it's like VMware Workstation then VMs by default are given a NAT-based network adapter (meaning they don't have their own IP on your LAN but simply share your host IP) in which case router-based rules (based on IP or MAC) would not have the desired result.

 

You should be able to change the VM to a bridged network adapter so it receives a LAN IP and behaves like any other device on your network.

 

 

True for VirtualBox

 

By default VirtualBox will use a NAT based network setup. But it can be changed to Bridge, then the VM will get its IP address from your router, so any rules you setup in your router should work.




79 posts

Master Geek


  # 1779825 11-May-2017 19:09
Send private message

Thanks solutionz and djtOtago, though I'd already switched the network adapter to Bridged. Maybe the MAC address isn't getting through to the router for parental control. A firewall rule should work, though, as it's IP based, rather than MAC address based. But I've really got little idea how to set this up; trying a couple of things without success. So what should the Firewall settings be and what would the rule look like (for the NF4V, I have to add a Firewall and then add rules to the firewall)?


4122 posts

Uber Geek


  # 1781763 13-May-2017 20:03
Send private message

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

 

where x is the machine you want to block and y is your routers address.


 
 
 
 




79 posts

Master Geek


  # 1781802 13-May-2017 22:41
Send private message

chevrolux:

 

Probably just a rule on the input chain (or your routers equivalent firewall structure) that just says "source address x.x.x.x going to destination y.y.y.y gets dropped"

 

where x is the machine you want to block and y is your routers address.

 

 

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?


919 posts

Ultimate Geek

Subscriber

  # 1781842 14-May-2017 09:09
Send private message

sofistek:

 

Yes, but what is the destination address as I want it to be any address (i.e. no direct Internet access from the source address)? Maybe it's the router's internal address and not a Net address? And why does the firewall setting itself need to be either "permit" or "deny"? Which, and why, if the rule determines whether to reject or drop?

 

 

I don't have an NF4V to find the exact setting for you but if it's iptables based underneath you don't specify a destination address and it will assume you're blocking everything from that source. If the UI wants a destination address you could try "0.0.0.0". Traffic from that VM won't hit the firewall/gateway if it's connecting to other machines on your network so it will still allow internal traffic.


4122 posts

Uber Geek


  # 1781852 14-May-2017 10:32
One person supports this post
Send private message

Well the destination would be the LAN IP address of the router. As that is what your internal machines will have set as a gateway (and probably for DNS too).

 

Most consumer grades would employ a "drop all" rule of some description at the end of their firewall setups hence the need for "permit" or "deny". I am a bit too used to Mikrotik (which is IP tables based) so you start with a clean slate a build on top of that.

 

Not sure how netcomm might do it... but with IP tables the three main chains you look at are input, forward and output:

 

Input - packets coming from an interface destined for the router
Forward - packets coming from one interface and destined for a another interface
Output - packets from the router destined for an interface

 

So in your case a rule on the input chain would be able to stop clients hitting the router. ie src 192.168.1.33 > dst 192.168.1.1 gets dropped 




79 posts

Master Geek


  # 1782717 15-May-2017 18:31
Send private message

Thanks all but I'm still mystified by the settings. If anyone would like to have a go, here is what the NF4V wants for setting up a firewall:

 

Firstly, a "firewall" needs to be created and this has the following fields:

 

Name
Interface (LAN, WAN, WAN/LAN, ETH WAN/ppp0.1, or various eth<n>.<n> and wln0.<n> settings)
Type (In or Out)
Action (Permit or Drop)

 

Then, after creating a "firewall", rules for the firewall can be created. A rule includes the following fields (too many to list them all):

 

Enabled (set or unset)
Protocol (presumably, TCP, though UDP andd ICMP are other options)
Action (Permit, Drop or Reject) - for Reject, another field is enabled (various icmp- codes or "tcp-reset")
Various TCP flags, either set or unset: SYN, ACK, FIN, RST, URG, PSH
origIPAddress, origMask/prefixLength, origStartPort, origEndPort
destIPAddress, destMask/prefixLength, destStartPort, destEndPort

 

I've only managed, trying all sorts of values, including those mentioned here, to exclude all intranet IP addresses from accessing the Internet or none. I just want to exclude one LAN address, 192.168.1.5, for example. What firewall settings are needed and what firewall rule settings are needed. Anyone know?


Filter this topic showing only the reply marked as answer Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Kiwi workers still falling victim to old cyber tricks
Posted 12-Aug-2019 20:47


Lightning Lab GovTech launches 2019 programme
Posted 12-Aug-2019 20:41


Epson launches portable laser projector
Posted 12-Aug-2019 20:27


Huawei launches new distributed HarmonyOS
Posted 12-Aug-2019 20:20


Lenovo introduces single-socket servers for edge and data-intensive workloads
Posted 9-Aug-2019 21:26


The Document Foundation announces LibreOffice 6.3
Posted 9-Aug-2019 16:57


Symantec sell enterprise security assets for US$ 10.7 billion to Broadcom
Posted 9-Aug-2019 16:43


Artificial tongue can distinguish whisky and identify counterfeits
Posted 8-Aug-2019 20:20


Toyota and Preferred Networks to develop service robots
Posted 8-Aug-2019 20:11


Vodafone introduces new Vodafone TV device
Posted 7-Aug-2019 17:16


Intel announces next-generation Intel Xeon Scalable processors with up to 56 cores
Posted 7-Aug-2019 15:41


Nokia 2.2 released in New Zealand
Posted 5-Aug-2019 19:38


2degrees celebrating ten years
Posted 5-Aug-2019 05:00


Sure Petcare launches SureFeed microchip pet feeder
Posted 2-Aug-2019 17:00


Symantec Threat Intelligence: revival and rise of email extortion scams
Posted 2-Aug-2019 16:55



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.