Contents

Previous Next

Avoiding IP Packet Leakage in a Host-Only Network
By design, each host-only network should be confined to the host machine on which it is set up. That is, no packets sent by virtual machines on this network should leak out to a physical network attached to the host. Packet leakage can occur only if a machine actively forwards packets. It is possible for the host machine or any virtual machine running on the host-only network to be configured in a way that permits packet leakage.
Windows Hosts
Systems using server versions of Windows 2000 are capable of forwarding IP packets that are not addressed to them. By default, however, these systems come with IP packet forwarding disabled.
If you find packets leaking out of a host-only network on a Windows 2000 host computer, check to see if forwarding has been enabled on the host machine. If it is enabled, disable it.
Choose Start > Programs > Administrative Tools > Routing and Remote Access. An icon on the left is labeled with the host name. If a green dot appears over the icon, IP forwarding is turned on. To turn it off, right-click the icon and disable Routing and Remote Access. A red dot appears, indicating that IP forwarding is disabled.
Linux Hosts
If you find packets leaking out of a host-only network on a Linux host computer, check to see if forwarding has mistakenly been enabled on the host machine. If it is enabled, disable it.
For many Linux systems, disable forwarding by writing a 0 (zero) to the special file /proc/sys/net/ipv4/ip_forward. As root, enter this command:
echo 0 > /proc/sys/net/ipv4/ip_forward
Other Linux systems have a system configuration option that you can set. The method depends on your Linux distribution. You may use a control panel, specify a setting at the time you compile your kernel or possibly enter a specification when you boot your system. Consult your operating system documentation for details on the method to use with your particular distribution.
Using Filtering
If the host computer has multiple network adapters, it may be intentionally configured to do IP forwarding. In this case, you do not want to disable forwarding. To avoid packet leakage, you must enable a packet filtering facility and specify that packets from the host-only network should not be sent outside the host computer. Consult your operating system documentation for details on how to configure packet filtering.
Leaks from a Virtual Machine
Virtual machines may leak packets, as well. For example, if you use dial-up networking support in a virtual machine and packet forwarding is enabled, host-only network traffic may leak out through the dial-up connection.
To prevent the leakage, be sure packet forwarding is disabled in your guest operating system.


Previous Next