How to create a VM with no Local LAN or Host Access, but has Internet ?


Recommended Posts

Use a virtual nic in the VM with the virtio drivers.  Setup the nic to use virbr0.  See "Configure a Network Bridge" in the wiki here: http://lime-technology.com/wiki/index.php/UnRAID_6/VM_Management#Configure_a_Network_Bridge

It states:

isolated from all other network services except internet access and the host's network file sharing protocols

He writes:

(no SMB, nothing)

 

And it seems to be NAT that "prevents" access from LAN->VM not a firewall. I do not know the specific configuration, but usually, VM->LAN should still work, so the VM could access unriad and other ressources on the LAN, just not the other way around (without specific ports forwarded to the VM). Unless the private bridge/kvm has some sort of firewall that can and does block traffic, in which case, access to the host maybe could be blocked as well.

 

I guess to be 100% sure, he would need to create a second subnet/VLAN on his router (wich is not a normal feature for consumer stuff, custom firmware may be needed) and either use VLANs or a diffrent physical port on the router and unraid.

Or buy a second router/firewall basicly do the same.

 

Or create a second VM, a router/firewall like pfsense, and declare that as the default GW for his vm. He could block all traffic from his vm to his LAN on that gateway.

 

Or, if his router has wifi with a guest SSID, he may try to passthrough a (USB/PCI) WiFi-card to the VM and use the guest SSID, wich should be isolated...

Link to comment

seems that by using the virbr0, I still can see all devices on the LAN... that's not good for what I needed.  The goal is to allow couple of remote familly member enter in Team Viewer to that VM to host their ARK server and manage it with ARK Server Manager tools (a very big GUI tool).

 

Since I don't want them to mess with my internal ressources (other Computers, Shares on Unraid, etc.), I wanted to block that while still allowing Internet access on the device so they can connect.

Link to comment

seems that by using the virbr0, I still can see all devices on the LAN... that's not good for what I needed.  The goal is to allow couple of remote familly member enter in Team Viewer to that VM to host their ARK server and manage it with ARK Server Manager tools (a very big GUI tool).

 

Since I don't want them to mess with my internal ressources (other Computers, Shares on Unraid, etc.), I wanted to block that while still allowing Internet access on the device so they can connect.

 

With unRAID 6.2 you have the possibility to create a second bridge attached to eth1.

 

Next you need to isolate eth1 from the rest of your network, either by connecting it to a separate switch, or if your switch supports VLANs, a logical separation can be made. At this point you have basically created two networks (say 192.168.1.x and 192.168.2.x). Final step is to connect both networks to your router, again either using physical or logical segregation.

 

On your router you can then create different firewall rules and introduce for example the rule that 192.168.2.x network can not reach 192.168.1.x network, but does have internet access.

 

I am using a similar approach for my guest network, which is behind my router and allows visitors to use internet but it is completely shielded from the rest of my home network.

 

Link to comment

Or, very quick, cheap and probably dirty...

You could use a firewall on the VM (windows fw may already do the trick).

 

Just block all of your internal IP-Addresses for outgoing and incoming traffic, except your router.

As long as you make sure, that your guests cannot alter these firewall-rules (no admin!), it should be "safe".

 

You could even consider using RemoteApps instead of a full blown Remote-Desktop.

That is possible even with a normal Windows: RemoteApp-Tool

 

Your possibilitys depend on your available hardware (router/switch) outside of unraid, if you post them, somebody may help with a more specific answer.

Link to comment

Weird.  When I enable virbr0 I get most of what I thought you wanted with a Windows 7 VM.  I cannot browse the network and I cannot connect a mapped drive to another server on my network but I am able to browse the internet.  So I must not have understood what you wanted or I just don't know how to get around it in Windows like you must.

Link to comment

Weird.  When I enable virbr0 I get most of what I thought you wanted with a Windows 7 VM.  I cannot browse the network and I cannot connect a mapped drive to another server on my network but I am able to browse the internet.  So I must not have understood what you wanted or I just don't know how to get around it in Windows like you must.

Like I said, the description of virbr0 suggests, that there is no firewall in place, just NAT (Network Adress Translation).

So, your VM is placed "behind" your server in a diffrent subnet, like your LAN is placed behind your router. Your router has a firewall, unraid does not. Adding a firewall to the virbr0 could be another solution.

 

There are many things that wont work through NAT. Like browsing the network, which is reliant on broadcasts and netbios.

If you disable the firewall on the other server and try to PING its IP-Adress (not hostname) it should work.

 

But you are still releativly "safe" because unless someone knows your real LAN and its ip-adresses, they would not know where to start. Malware however could just scan any private network and would eventually find your LAN and its devices and could do whatever it would do if it was in the same network.

 

 

In fact, I just looked into it, and it seems iptables is already running and active, to provide the docker network with everything it needs... (so the wiki is inacurate :))

I asume the following rule is in place for the virbr0 network:

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere

Which means the private network is allowed to go anywhere and all data that was requested from inside is allowed to go there.

I am very rusty with iptables, but if you add a DENY rule for your LAN, in front of the second rule that allows all, everything in your LAN should be "safe"...

To access this a VM with virbr0 from the internet (like rdp), would also require to add/modify itaples rules.

 

If anyone is interested, I would suggest the libvirt-wiki:

Forwarding Incoming Connections

------------------------------------------

By default, guests that are connected via a virtual network with <forward mode='nat'/> can make any outgoing network connection they like. Incoming connections are allowed from the host, and from other guests connected to the same libvirt network, but all other incoming connections are blocked by iptables rules.

 

If you would like to make a service that is on a guest behind a NATed virtual network publicly available, you can setup libvirt's "hook" script for qemu to install the necessary iptables rules to forward incoming connections to the host on any given port HP to port GP on the guest GNAME:

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.