I've created a firewall using a script posted under http://ubuntuforums.org/showthread.php?t=159661
#!/bin/bash
\# No spoofing
if \[ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
then
for filtre in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $filtre
done
fi
\# No icmp
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#load some modules you may need
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe iptable_filter
modprobe iptable_nat
\# Remove all rules and chains
iptables -F
iptables -X
\# first set the default behaviour => accept connections
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
\# Create 2 chains, it allows to write a clean script
iptables -N FIREWALL
iptables -N TRUSTED
\# Allow ESTABLISHED and RELATED incoming connection
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FIREWALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
\# Allow loopback traffic
iptables -A FIREWALL -i lo -j ACCEPT
\# Send all package to the TRUSTED chain
iptables -A FIREWALL -j TRUSTED
\# DROP all other packets
iptables -A FIREWALL -j DROP
\# Send all INPUT packets to the FIREWALL chain
iptables -A INPUT -j FIREWALL
\# DROP all forward packets, we don't share internet connection in this example
iptables -A FORWARD -j DROP
\# Allow NETBIOS for samba (only eth0)
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 137 -j ACCEPT
iptables -A TRUSTED -i eth0 -p udp -m udp --dport 138 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT
\# Allow https
iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT
iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT
iptables -A TRUSTED -i eth1 -p udp -m udp --sport 443 -j ACCEPT
iptables -A TRUSTED -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT
\# End message
echo " \[End iptables rules setting]"
All works fine between host and windows guests, but I can't access other machines via the NETBIOS protocols.
What I've to add (virtual device e.g.) to the script about to make it work ? If the firewall is disabled everything is ok.
It works. Your VMs only can't connect to systems outside of the NAT network.
One of the reasons to use NAT is a host with changing networks
(a laptop with WLAN and "normal" network access is a good example for this).
open ports 135 and 445 too
It's NO connection via eth0 or eth1 established. The only network which is available is the 'host only'.
I think it must be something like
\# Allow NETBIOS for samba (only vmnet)
iptables -A TRUSTED -i </dev/vmnet?> -p udp -m udp --dport 137 -j ACCEPT
iptables -A TRUSTED -i </dev/vmnet?> -p udp -m udp --dport 138 -j ACCEPT
iptables -A TRUSTED -i </dev/vmnet?> -p tcp -m tcp --dport 139 -j ACCEPT
but </dev/vmnet?> is no physical network device.
If a cable is plugged in, the guest OS is using a bridge network and everything works fine (with that firewall script).
The host-only network is presented to the guest OS as an "eth#" device. The guest has no idea that it's talking on a host-only net...it's just another interface that it's talking Ethernet on.
The host-only network is presented to the guest OS as an "eth#" device.
This is right. For that reason I configured 2 ethernet devices in the virtual windows machines: A ethernet device (bridged) and one ethernet device (host only).
If an ethernet connection is established, I use a hardware profile with the bridged network an the firewall.
If no[/b] ethernet connection is established, I use a hardware profile with the host only network to access the host, but the firewall must be deactivated.
Why don't you use NAT instead?
No need for dealing with different profiles and multiple NICs.
What happens with NAT in the case that NO[/b] network resource is available on the host system (no cable plugged e.g.) ? Does the 'internal network' between various virtual machines work or not ?
It works. Your VMs only can't connect to systems outside of the NAT network.
One of the reasons to use NAT is a host with changing networks
(a laptop with WLAN and "normal" network access is a good example for this).
Until now I had only experiences with bridged (servers with static IP addresses) networks. For my kind of virtualisation NAT is the best solution.
Thanks a lot for that clue.