Monday, November 24, 2008

Ubuntu, Virtualbox, and Shorewall

If you are running virtual servers using VirtualBox and you are using the host based networking, then this post may be helpful for you.

I am running my development servers (Tomcat, Asterisk, Apache, etc...) using VirtualBox since it allows me to consolidate machines and run everything from one dual core box. Since I also try to practice good security (even at home) I have enabled UFW (uncomplicated firewall). While this works great for a basic desktop setup, it breaks networking for my virtual hosts.

To get around this you can use a more sophisticated firewall configuration tool like shorewall or you can edit your iptables directly. I went with shorewall since it is easier to work with.

Here is what I did to get everything working...

1.) Installed shorewall,
sudo aptitude install shorewall

2.) Disabled UFW,
sudo ufw disable

3.) Copy the default shorewall configuration files,


cd /usr/share/doc/shorewall-common/examples/one-interface
sudo cp interfaces policy rules zones /etc/shorewall/


4.) Configured the files as based on this post on the Ubuntu forums.

http://ubuntuforums.org/showthread.php?t=968278

5.) Validate your configuration,
sudo shorewall check

6.) Turn on shorewall by editing /etc/default/shorewall and changing the startup=0 line to startup=1.
7.) Start shorewall,
sudo /etc/init.d/shorewall start



I followed the post on the Ubuntu forum with the following exceptions...

1.) I have multiple VirtualBox host adapters (tap0, tap1, and tap3). So I have additional lines in the interfaces file for them.


vbx tap0 detect dhcp
vbx tap1 - -
vbx tap2 - -


2.) I didn't start with adding this line to the policy file, all all ACCEPT info. Mostly because I'm lazy and didn't want to remove it a few steps later.

3.) I tweaked my rules file a bit so that I could ping my virtual hosts.


# Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping/REJECT bri $FW

# Permit all ICMP traffic FROM the firewall TO the net zone
ACCEPT $FW bri icmp
ACCEPT $FW net icmp
ACCEPT $FW vbx icmp


At this point everything should be working fine. That being said, I do not claim to be an expert on shorewall or linux network security. So please feel free to leave a comment if you notice something that could be improved.