Site menu:

Tags

Family/Friends Fun gambling Linux/BSD Linux/BSD Mac Movies Music Opinion photos python review sysadmin Web Work WoW

Links:

Meta

Site search

Recent Posts

RSS Reading

RSS Netflix Q

Sandbox a VMware Virtual Machine With iptables

Occasionally I need to play with an experimental machine using VMware Workstation on my Linux host. The virtualizaton already sanboxes my disks, memory, and other resources. However I only have 3 choices for networking: Bridged, NAT, and host-only.

  • Bridged is often unacceptable for experimentation due to it’s unrestricted nature. It also does not pass through the standard netfilter interfaces in the kernel to be filtered.
  • NAT is often unacceptable because I cannot control it’s filtering policies. It runs a separate daemon to handle the address translation. This blocks many of my filtering options in iptables.
  • Host-only is almost never acceptable since I rarely do any experimentation that doesn’t require a network interface to my network outside my machine.

My favorite solution is to use the host-only networking option, and configure my host machine to NAT and route the traffic. This gives me extreme control over the network policies, addresses, etc. All with a familiar iptables interface.

To accomplish this there are a few steps that need to happen.

  • Configure your Virtual Machine to use Host-only networking
  • Enable IP forwarding on your host. 
    echo 1 > /proc/sys/net/ipv4/ip_forward
  • Add the address you want your virtual machine to use on your network as an alias to your real interface. 
    ifconfig eth0:0 10.49.220.40 netmask 255.255.252.0
  • Add a NAT rule with iptables to translate packets to this new address. 
    iptables -t nat -A POSTROUTING -i vmnet1 -o eth0 -j SNAT --to-source 10.49.220.40
  • Add any rules you wish to impose to the FORWARD chain in the default filter table. Example here defaults to DROP all packets, but allow DNS to a DNS server, and all traffic to a host for the experiment. 
    iptables -P FORWARD DROP
iptables -A FORWARD -d 10.49.1.25 -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -d 10.49.1.26 -j ACCEPT

Now your experiment will come from your chosen IP as you would have wanted with bridged mode, but you get the awesome power and flexibility of filtering it via iptables. Great for playing with Windows and it’s included vulnerabilities.

Posted: August 27th, 2007.
Tags: ,

« »

Comments

Comment from Andy
Time December 8, 2007 at 11:43 am

I tried to add the post routing rule but iptables complained -

“iptables v1.3.6: Can’t use -i with POSTROUTING”

Thought you’d like to know.

Andy

Write a comment