Network filtering on the host

New year resolution: using KVM instead of VirtualBox!

So far all good, but I was wondering how to achieve an even higher level of security.

For instance if I have KVM running on a debian machine, is it possible to disallow all traffic except for KVM virtual networks (virbr0 and virbr1 with Whonix) with iptables?

1 Like

There is a project that would have done just this called Corridor. It blocks any outbound connections not going to the Tor network. Unfortunately the guy behind it made it for Qubes rather than regular distros. Attempts to make it work on Debian led to nowhere.


Ideally this application would be packaged for Debian to help accomplish this. Too bad another sec distro wrote something similar but never cared to make it available for other distros.

How do you intend to use the host OS for the KVM VMs? If you use it only for Whonix guests and not for anything else which requires networking you might want to think about using bridged networking for the Whonix gateway and set the host firewall to drop everything. You maybe also want to read the discussion linked here on bridged vs nat: Security Guide - Whonix

Thanks for your answers.

I am very beginner with KVM but I figured that thanks to its advanced network configuration capabilities it would be possible to allow only traffic to and from the virbr* interfaces on a debian host system. Maybe it’s much more complicated that it seems.

I intend to run Whonix and other VM’s too. I don’t want to filter out Tor traffic, I let Whonix manage that. I would just some iptables rules that would only allow internet access through the KVM virtual network interfaces. Obviously the real internet interface would have to access the internet, but it would then only be allowed to tunnel its traffic through KVM virtual network interfaces. This way I don’t expose my host to the internet and I reduce the surface attack as well as leaking issues (such as forgetting that I am not on Whonix and opening a link with a regular Firefox browser, etc.).

Basically this is what Qubes achieves with its sys-net/sys-firewall approach but I was wondering if a lighter version could be achieved on a simple debian system with some hardened iptables rules.

I did some tries with iptables but my knowledge is too low to hope achieving something on my own. Couldn’t find anything on the net either.

EDIT: thanks Algernon, I’ll read your link. My setting would need to allow other KVM VM to connect though, not only Whonix VMs.

If you don’t want any internet access on the host at all and other virtual machines still require access to the clearnet you could maybe come up with your own router VM + bridged networking. Your approach should also work generally though for the exact rules a debian forum or maybe some IRC is suited better. You could also take a look at firejail, apparmor, grsecurity’s RBAC each of which allows to some extend to limit the network access of applications.