How give virtualbox guest access to external internet port but not internal network?

I want to install a VirtualBox guest that will host Asterisk. I want it to be able to communicate with the outside world on specific ports (so it can handle calls) but have zero access to the internal network or any other computers or even any other ports to the outside world (and I don’t even want it to have access to the router). I want it locked down and stripped of any rights it doesn’t need. So if it should get hacked, they couldn’t do anything to my network and can’t even send spam or data except through the ports reserved for asterisk (hopefully limiting damage).

Is this possible? How would I do this?

You can try something that is similar to what is described here

If you have a dedicated firewall in your lan, you can do what you want. I can not tell you how to do it precisely with Linux because I don’t use iptables, but I could do it with pf rules on my openBSD firewall. I assume that you could write similar rules for iptables. I suggest you learn iptables when you get some time.

Whether you use a virtual (bridged) or a real machine is not relevant. This is not a virtualization but a firewall problem.

  • didn’t say it’s the only way but probably the cleanest and safest.


I’m going to learn iptables. after I learn iptables, would you be willing to post more about what you did in openbsd so I can translate it to iptables?

On 2013-02-03 02:16, 6tr6tr wrote:
> Is this possible? How would I do this?

Perhaps apparmour; I believe they wanted to do networking constraints,
but I don’t have idea how.

Cheers / Saludos,

Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)

The simple solution:
Deploy your VM(and likely entire virtual network) in a firewall DMZ. The reuirements you state are common so should actually conform so far entirely with a typical DMZ configuration(restricted access to Internet, no default access to Internal zone).

Although SUSE Firewall meets your current stated requirments if you envision more requirements in the future like stateful packet inspection, content and anti-hacking filtering you may want to consider a more robust firewall than one based on IP tables.


Am I right that you’re suggesting I put the iptable settings on the guestOS? What about locking it down outside the guest OS? What can I do there?

This setting is usually made on your edge firewall. So, for instance if your Virtualbox Host is also the Internet Gateway for your network, then you would configure the DMZ using SUSE Firewall on the same Host box.

If your Virtualbox host isn’t on the edge, ie the box isn’t configured with a public IP address on one of the interfaces then the possible configurations are enormous and could fill pages so you’d have to describe specific details how your Host and Guest are setup.

As always, configuring IP tables (likely using SUSE Firewall) in the guest is optional but only for itself so has nothing to do with firewall zones.


BTW - Assuming you will be using SIP with your Asterisk, you should know that you will likely want to configure a public IP address on that box, special procedures are required to cross NAT and PAT.