Firewalling VirtualBox: restrict host inbound connections to guests only

-1

I have Windows7 + Cygwin and VirtualBox. I would open a listening port on the host accepting only inbound connections from the VMs.

Note: In many case the server services running on the host can be restricted to some IPs, and so those of the VMs (subnet), but some boxes sitting in the same network as the host might spoof their IP, making these restrictions not effective.

antonio

Posted 2014-09-24T11:16:18.580

Reputation: 647

Answers

This may take some more resources, but not much.

You can try getting a software firewall, like pfsense, and create an internal "vm network" that will be firewalled by a powerful software-based firewall.

adgelbfish

Posted 2014-09-24T11:16:18.580

Reputation: 554

But pfsense does not run on Windows – antonio – 2014-09-24T14:20:14.257

run it in a virtual machine. then tunnel all vm traffic through it using virtualbox's built in networking features. – adgelbfish – 2014-09-28T00:47:39.973

You could set up a host-only network within Virtualbox. This is a virtual LAN which includes the host and any guests which are attached to it. You would then add a network adapter to each of your guests and attach the adapter to the host-only network. The guests and the host would be able to communicate through the private network.

Once you've done this, processes running on the host could bind specifically to the IP address for the host-only network interface. Only processes running on the host or one of the VMs would be able to contact the host's host-only network address.

The basic process is as follows:

Start Virtualbox manager and go to File->Preferences->Network->Host-only networks.
Click the "+" icon at right to create a new one.
Click the screwdriver icon to access properties for the new network.
Enable a DHCP server if desired (if you don't do this, you'll have to assign static IPs to each guest).

Kenster

Posted 2014-09-24T11:16:18.580

Reputation: 5 474

Kenster, the host-only network prevents the guest to talk with the outside world, but not the host, and my question is: "open a listening port on the host accepting only inbound connections from the VMs". – antonio – 2014-09-24T20:26:10.103

I've spelled out a little more clearly what I was getting at. – Kenster – 2014-09-24T20:58:26.227

Sorry, how can we do this by interface and not by IP? otherwise the last part of the question might apply? – antonio – 2014-09-24T21:38:06.050