[ale] VMWare and Firewall
David A. De Graaf
dad at datix.us
Mon Jun 4 15:47:03 EDT 2007
On Mon, Jun 04, 2007 at 03:13:00PM -0400, Robert L. Harris wrote:
>
>
> That's a problem as some of the VM's are windows boxes and we don't want to trust
> them to protect themselves.
>
>
> Thus spake Jim Popovitch (yahoo at jimpop.com):
>
> > On Mon, 2007-06-04 at 15:01 -0400, Robert L. Harris wrote:
> > >
> > > It is bridged. I'm running the firewall on the host OS. So I would need
> > > to apply it to "vmnet1" or "vmnet8" ? running tcpdump on these interfaces
> > > doesn't show any traffic.
> >
> > You need to add iptables rules inside each virtual machine. The host
> > can not protect the bridged interface.
> >
You might try 'host-only' networking instead. This creates a little
two-station virtual network inside the host - only the host and the
virtual guest reside on it, with a separate network number.
Then activate ip forwarding in the host so traffic is forwarded
between the vmnet0 interface and the other network interface:
In /etc/sysctl.conf set
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
Then all traffic from the virtual guest is forwarded (and passes thru
the iptables rules) of the host.
As far as I know, bridged networking doesn't work at all when the host
uses a wireless connection. Host-only works fine.
For the virtual guest to access the internet through the LAN's connection
(which you may not want to allow), I've found it necessary for the host
to do masquerading for all non-local traffic from the guest, eg:
iptables -F
iptables -t nat -F
iptables -A POSTROUTING -t nat -s 192.168.21.0/24 \
-d ! 192.168.0.0 -j MASQUERADE
--
David A. De Graaf DATIX, Inc. Hendersonville, NC
dad at datix.us www.datix.us
More information about the Ale
mailing list