# Virtualbox -> firewall (host) -> internet?

## Dheath

I'm trying to get the network traffic of Virtualbox virtual machines going trough iptables firewall. Seems that it is impossible to have program based firewall on Linux. So, now I'm trying to have the VM traffic going trough an dummy tun/tap interface (vbox0) that is bridged to br0 (192.168.1.130).  Also the host computer (eth0) is bridged trough the br0. So, the VB is set to "Bridged Adapter" with interface vbox0. The VM usually gets an ip 192.168.1.111.

Now that the iptables contains at the top of the chains:

```

-A INPUT -i vbox0 -p all -j DROP

-A OUTPUT -o vbox0 -p all -j DROP

```

These two rules do not get any packets matched when I use the VM and the VM's is freely connected to the Internet. Why?

/etc/conf.d/net

```

bridge_br0="eth0 vbox0"

config_eth0="null"

# VM:

tuntap_vbox0="tap"

tunctl_vbox0="-u dheath"

config_vbox0="null"

config_br0="dhcp"

dhcpcd_br0="-t 10"

rc_need_br0="net.eth0 net.vbox0"

brctl_br0="setfd 0","sethello 1","stp off"

```

I think I'm doing something horribly wrong here. But what exactly is it?

Also, if anyone has any better idea how to do this, I would gladly listen.Last edited by Dheath on Wed May 26, 2010 2:02 pm; edited 1 time in total

----------

## erik258

I don't use virtualization - not yet anyway - and I'm not very experienced with bridging.  

But I do know that with CONFIG_BRIDGE_NF_EBTABLES, you can turn your ethernet bridge into a bridged firewall, or firewalled bridge, or whatever. 

I don't think it's typically possible to firewall a bridge with iptables, because bridging is a layer II thing and ip is a layer III thing.  But that's why the following exists in the kernel: 

```
networking support->networking options->Network packet filtering framework-> Ethernet Bridge tables (ebtables) support 
```

Using that, and some of the table and filter stuff below it, you should be able to filter out whatever traffic you don't want to get over the bridge.

----------

## gentoo_ram

You don't need to go though bridging.  Treat your vbox interface the same as another internal network interface and follow the instructions on all those generic "Linux Home Router" webpages out there to set up connection sharing.  You can share your internet connection with as many internal networks as you please.  Tell your VMs to attach to a host-only network on vboxnet0 and set up that interface like you want.  That's another way to get you to your goal.  Put the vboxnet0 interface in a different subnet than your other interfaces.

----------

