Virtualization and Inverted Firewall

Discussion in 'sandboxing & virtualization' started by jrmhng, Oct 7, 2008.

Thread Status:
Not open for further replies.
  1. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Hi all,

    I was looking at a back episode of security now and came across this

    Source: Security Now Transcript at GRC.com

    Does anyone actually know how to implement this idea? Wouldn't be awesome to run something like a gateway/firewall distro of linux and use it as a firewall. You can even find something to do content filtering, vpn, http scanning etc.
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Just read it ... sounds interesting ...

    Let's see if this is possible ... How I'd do it?

    Will require 2 NICs:

    First, make Windows use VMware network (external vmnet driver) ... force the Windows network adapter to use the VMware IP as DNS / DHCP ... may require changing the MAC to VMware range?

    Then, bridge between a second Windows network adapter and the VMware adapter ... force the bridge to use the ISP DNS / DHCP ... and then disable the second Windows network adapter.

    Could this work?

    Stem?

    If this works, I'll contact Leo ... or you can do this in my stead ...

    Mrk
     
  3. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Too easy :p

    A question on the NICs, do you mean 2 physical or 1 physical and 1 virtual?

    Thanks for the write up.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    2 physical, 2 virtual - but only use the "external" virtual one.
    Mrk
     
  5. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    huangker,

    you can achieve this with only one physical NIC and 2 virtual NICs.
    Steps to take:
    -Create a vitual pc with two NICs. One Brigded (1st) that will connect directly to internet and one host-only (2nd).

    - On the host machine:
    a) disable the Internet Protocol (TCP/IP) on the phisical NIC.
    b) configure the virtual NIC (the one that is used to communicate with the virtual pc) to use as default gateway the IP of the virtual pc (the above 2nd NIC)


    Panagiotis
     
  6. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Hi pandlouk

    Thanks for the response but I'm still a little confused. Would you please explain again. Maybe if we used the following convention:

    V1 for the first virtual nic
    V2 for the second virtual nic
    P1 for the physical nic.

    I currently use virtual box and have my computer connect through a wireless connection and at uni.

    How will this setup work?

    Cheers
    Jeremy
     
  7. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    Hi Jeremy,

    ok I will devide the info in 2 steps. One for the host machine and on for the virtual machine.
    Step 1 (host machine).
    P1 : you must disable the TCP/IP
    V1 : you should not do anything. This one will be used from the Virtual pc to get direct connection in internet.
    V2 : This will be used for the private network between the host and the guest. Lets assume that you have an IP 192.168.195.2 for your host machine and 192.168.195.3 for your guest machine. You must use as default gateway (for the host machine) the IP 192.168.195.3 .
    Step 2 (guest machine).
    P1 : nothing to configure (you should not see it in the guest)
    V1 : it should automatically connect in internet
    V2 : it should communicate with the host through the private network and as the above example should have the IP 192.168.195.3.

    Now they only thing that you have to do is to bridge V1 and V2 in the guest machine. All the traffic will be filtered from the guest firewall.

    hope it is clear now,
    Panagiotis

    edit: the above works fine with VMware server. If it does not work with virtualbox it means that you should add a V3 nic and use it instead of the V2 in the guest. (in the guest you should see only V1 and V3).
     
    Last edited: Oct 12, 2008
  8. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks for the write up. How will V1 connect to the internet? is V1 and P1 bridged on the hose machine? My connection through the internet is via wireless. If I turn off tcp/ip etc, the host wont connect to the wireless. Will the wireless have to be configured thorough V1 in the guest or P1 in the host?
     
  9. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    You're welcome :)
    In Vmware they are bridged through the VMware Bridge protocol. I guess that something similar should use virtualbox too. It happens automatically but you do not actually see the bridge.
    When the V1 gets direct access to the host interface it works as a separate nic. It gets a different IP from the external DCHP server.
    You will have to configure it in the V1 in the guest.

    Panagiotis
     
  10. jrmhng

    jrmhng Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    1,268
    Location:
    Australia
    Thanks again! Im trialling vmware so maybe you can give me some specific vmware advice? Also does this mean that V1 and P1 are actually bridged in the host machine and V1 and V2 are bridged in the guest?
     
  11. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,549
    On Vmware you should create a new virtual machine with the following nics:
    Network Adapter: Brigded
    Network Adapter2: Host only

    Then on your host machine you must configure the gateway of the Vmware Network Adapter VMnet1. (Check the vmware network editor to find which adapter is used for host-only)

    And on your guest machine you bridge the 2 adapters.

    Panagiotis
     
Loading...
Thread Status:
Not open for further replies.