[SOLVED] VirtualBox guest-only internet access

[zealot]

Hello Debians of .deb,

Is it at all possible to disable internet access for the Debian host while providing internet access to the VirtualBox guest(s)?

I plan to only hook up the host to the internet for updates, upgrades and installations, although if I can, then I will make a Debian guest to test everything out and download the files from there and install everything on the host without even a single host connection point.

Is this the indomitable approach to intercommunication security? If not, then what haven't I thought of yet?

[dasein]

Is it at all possible to disable internet access for the Debian host while providing internet access to the VirtualBox guest(s)?

I'd be happy to help you think the answer through on your own, if you like. Or would you rather wait for someone else to come along who might spoonfeed it to you?

(Just askin')

[zealot]

Is it at all possible to disable internet access for the Debian host while providing internet access to the VirtualBox guest(s)?

I'd be happy to help you think the answer through on your own, if you like. Or would you rather wait for someone else to come along who might spoonfeed it to you?

(Just askin')

I would be happy with anything.

I have virtualbox installed.

I know how to use iptables to block incoming and outgoing on host, but I'm not sure if that's the most secure method.
Do I just block them with iptables and that's all?

I would prefer to disable the internet for host completely and only give access to the guest.
So the host is completely invisible to the internet.

[dasein]

I would be happy with anything.

Ok then. Underneath your kitchen sink is a water shutoff valve. There is a similar valve between your house and the water main.

Is there a way to shut off the water at the main and still have it flow in your kitchen? Is there anything you can to with that valve inside your house that would affect a shutoff at the main?

Now ask yourself the same question about your real and virtual NICs. If you disable the NIC "outside" the VM, is there anything you can do "inside" the VM that involves networking?

[zealot]

What about port forwarding?

lay down a new pipe straight to the kitchen.

I don't know what NIC is. Researching it now.

That's hardware, I don't want to remove it.

[dasein]

Think "inside" and "outside" not "hardware" and "software".

Or maybe ask yourself this. If you disable networking for a given host, would you want there to be a way for a VM guest to do networking anyway?

[zealot]

Think "inside" and "outside" not "hardware" and "software".

Or maybe ask yourself this. If you disable networking for a given host, would you want there to be a way for a VM guest to do networking anyway?

Yes, I want to use the internet via guest but protect host from crackers.

Otherwise I just disconnect the host and problem is solved.

[sunrat]

Otherwise I just disconnect the host and problem is solved.

If that solves your problem, just do it. Of course, as the guest uses the host's networking, it won't be connected.
I suggest locking down the host firewall.

[dasein]

If you disable networking for a given host, would you want there to be a way for a VM guest to do networking anyway?

Yes, I want to use the internet via guest but protect host from crackers.

You may find it useful to think about this problem (or read up on virtualization) until it's clear to you that it would have exactly the opposite effect (even if it were feasible, which, back to the water main analogy, it isn't). Host controls guest, not vice-versa.

[Tropical_]

Hello. I have been trying to accomplish the same thing.. for when I am on the road and not behind my PFsense router, as VNC can be slow.

I like the water pipe analogy (thanks!!).. just made me think of a possible solution for this..

..what if I disable all networking on the host laptop.. insert an USB wifi stick on the Host USB port and give it to VIrtualbox? Then connect to the internet only though it from a Guest OS?

Could this be like adding another I/O pipe? Would this "bypass" the Host? Of course all traffic would be going though -->USB wifi stick--> Host --> VM. But as far as I know Virtualbox would have exclusive access to the USB stick(?), could it "leak" to the Host? If so how can you find such leak?

[dandwad]

"Hello. I have been trying to accomplish the same thing.. for when I am on the road and not behind my PFsense router, as VNC can be slow.

I like the water pipe analogy (thanks!!).. just made me think of a possible solution for this..

..what if I disable all networking on the host laptop.. insert an USB wifi stick on the Host USB port and give it to VIrtualbox? Then connect to the internet only though it from a Guest OS?
"

How do you give it to VirtualBox? You have to use host software.

You miss the point. The host OS has to see the NIC to pass the data to the guest. There has to be software that reads the signals (1's and 0's) then turns them into frames then packets & segments then into streams (each one of these is a separate process) then into the data that is pooled into a memory space. This software runs in the host OS.

Adding the wifi stick is just getting another sewer connection from the city to your house - and to the main plumbing input. You can pull 1000 lines (NICs) to your house, but if they all have to connect to the house main (which is the way the houses are built), then you can't bypass the house plumbing. What has been mentioned that would appear to work is to leave the Host OS having access to the card BUT only at the physical and datalink levels: turn off TCP/IP on the host but turn it on for the guest. This means the host would never ask for the IP/network parameters and be 'invisible' to the network (and probing , DDOS etc.)

"Could this be like adding another I/O pipe? Would this "bypass" the Host? Of course all traffic would be going though -->USB wifi stick--> Host --> VM. But as far as I know Virtualbox would have exclusive access to the USB stick(?), could it "leak" to the Host? If so how can you find such leak?"

You are thinking like the VB guest is real. It's not. It runs within the host. It can only exist if the host exists. It's a shadow. You can have a person without a shadow, but not a shadow without a person.

People seem to think the HOST-GUEST are more of a Kangaroo mother and child. They both have access to the info coming to the pocket, but have separate processing. It's not, it's more of a pregnant mother. The child only can perceive what the mother passes on in physical motion, chemicals and electrical responses. You are wanting to pass information to the baby without touching the mother at all. Anything you do to the baby has to go through the mother first; the mother can live without the baby, but the baby cannot live without the mother.

Cancer is another analogy that might help. That which is poisonous to the host is poisonous to the cancer. But the reverse is also true. That's why chemotherapy and radiation can kill both the cancer and the host. You want to deliver the chemo with touching the host. But because the guest is parasitic to the host, you can't pass info ONLY to the guest. The only way to get this effect (not the actual event, but the perceived event) includes using chemicals that the host has no reaction to but the cancer does; which is extremely hard because the cancer is made of the same thing as the host.