search

casualsnek / cassowary

Run Windows Applications on Linux as if they are native, Use linux applications to launch files files located in windows vm without needing to install applications on vm. With easy to use configuration GUI
GNU General Public License v2.0
2.93k stars 78 forks source link

Disable internet access for Windows 10 guest #76

Closed artyom-u closed 2 years ago

artyom-u commented 2 years ago

Dear Casualsnek, Dear All, Firstly, thanks for the great software! I'm new to Github and hope you find my question acceptable. I need to disable internet access on the Windows 10 Enterprise guest (without messing Cassowary up - i.e. so that everything would continue working nicely). My laptop is running Ubuntu 22.04. I am not that savvy with programming, but could follow your kind directions (e.g. like in your readme file). Any advice is greatly appreciated. Once again, many thanks for Cassowary. It is great!

casualsnek commented 2 years ago

I think you restrict internet access to applications with windows firewall without causing cassowary to stop. If you get into problems or firewall, please send a reply here or e-mail me. Sorry if i took long to respond, i am slightly busy in my college works since few weeks ! ------- Original Message ------- On Friday, May 6th, 2022 at 3:37 AM, artyom-u @.***> wrote:

Dear Casualsnek, Dear All, Firstly, thanks for the great software! I'm new to Github and hope you find my question acceptable. I need to disable internet access on the Windows 10 Enterprise guest (without messing Cassowary up - i.e. so that everything would continue working nicely). My laptop is running Ubuntu 22.04. I am not that savvy with programming, but could follow your kind directions (e.g. like in your readme file). Any advice is greatly appreciated. Once again, many thanks for Cassowary. It is great!

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: @.***>

artyom-u commented 2 years ago

Thanks!

For privacy purposes I would like to block access to the Windows virtual machine completely (applications would not be enough).

I found recommendations to a) delete certain iptables rules and to b) 'block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).' (copied these in the details below) (source: https://unix.stackexchange.com/questions/418871/qemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-access)

Would you advice this one (given how Cassowary works), or you see a better solution? Many thanks! Good luck with your college work. Yes, I have also been quite busy lately.

Details `When you launch the virtual machine you'll find yourself with the following iptables rules on your host (if you don't already have some): $ iptables -S -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT This configuration allows the virtual machine to access internet (FORWARD rules). So what you want to do is delete the FORWARD rules: $ iptables -L --list-numbers Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT udp -- anywhere anywhere udp dpt:domain 2 ACCEPT tcp -- anywhere anywhere tcp dpt:domain 3 ACCEPT udp -- anywhere anywhere udp dpt:bootps 4 ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED 2 ACCEPT all -- 192.168.122.0/24 anywhere 3 ACCEPT all -- anywhere anywhere 4 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable 5 REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT udp -- anywhere anywhere udp dpt:bootpc $ iptables -D FORWARD 1 $ iptables -D FORWARD 2 $ iptables -D FORWARD 3 $ iptables -P FORWARD DROP This should actually suffice to block internet access to the virtual machine. If you're paranoid you can block the samba port directly from the router (with the router interface, or if you have a shell access to it with the command line firewall).` (source: https://unix.stackexchange.com/questions/418871/qemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-access)
artyom-u commented 2 years ago

Hey! So I have found a solution. Basically, an easy way is to change the type of Virtual network that the machine uses. You need an Isolated network.

To do so, select the Windows virtual machine that you created in the main list of machines in the Virtual Machine Manager window. Select Edit - Connection Details.Then create a new Isolated network. Close this window.

Then go to the Virtual Hardware Details page of your virtual machine, there in the NIC section, select Isolated, instead of default Network Source.

I am testing this configuration, seems to work.