UncleTallest/Fedora35_Networking_VMs.md

## Fedora35_Networking_VMs.md

      
    Raw
  

              Fedora35_Networking_VMs.md
            
          
    https://docs.fedoraproject.org/en-US/quick-docs/samba/#trouble_with_accessing_the_share
https://unix.stackexchange.com/questions/60799/selinux-interfering-with-host-guest-file-sharing-using-kvm
https://unix.stackexchange.com/questions/86071/use-virt-manager-to-share-files-between-linux-host-and-windows-guest
https://unix.stackexchange.com/questions/418871/qemu-how-to-disable-guests-access-to-public-internet-but-preserve-their-acc
https://www.server-world.info/en/note?os=Fedora_35&p=samba&f=3
Install and enable Samba

$ sudo dnf install samba
$ sudo systemctl enable smb --now
$ firewall-cmd --get-active-zones
$ sudo firewall-cmd --permanent --zone=FedoraWorkstation --add-service=samba
$ sudo firewall-cmd --permanent --zone=libvirt --add-service=samba
$ sudo firewall-cmd --reload
Selinux fixes

With standard selinux policy samba will be unable to do some very basic things. Use the two commands below to enable them before continuing.
$ sudo setsebool -P samba_enable_home_dirs 1
$ sudo setsebool -P samba_export_all_rw 1
Creating a Samba Share

In this example you will share a directory inside your home directory, accessible only by your user.
Samba does not use the operating system users for authentication, so your user account must be duplicated in Samba. So if your account is tallest on the host, the user tallest must also be added to Samba. While the usernames must match, the passwords can be different.
Create a user called tallest in Samba:
$ sudo smbpasswd -a tallest
Create a directory to be the share for tallest, and set the correct SELinux context:
$ mkdir /home/tallest/Transfer
$ sudo semanage fcontext --add --type "samba_share_t" ~/Transfer
$ sudo restorecon -R ~/Transfer
Samba configuration lives in the /etc/samba/smb.conf file. Adding the following section at the end of the file will instruct Samba to set up a share for tallest called "share" at the /home/tallest/share directory just created.
[Transfer]
        comment = network drive share for Myron
        path = /home/tallest/Transfer
        writeable = yes
        browseable = yes
        public = yes
        create mask = 0644
        directory mask = 0755
        write list = user
Restart Samba for the changes to take effect:
$ sudo systemctl restart smb
Optional: Keeping network access to host but disabling internet access for VMs

[sara@kallisti ~]$ sudo iptables -S
-P INPUT ACCEPT-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N LIBVIRT_FWI
-N LIBVIRT_FWO
-N LIBVIRT_FWX
-N LIBVIRT_INP
-N LIBVIRT_OUT
-A INPUT -j LIBVIRT_INP
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
[sara@kallisti ~]$ sudo iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    LIBVIRT_INP  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    LIBVIRT_FWX  all  --  anywhere             anywhere            
2    LIBVIRT_FWI  all  --  anywhere             anywhere            
3    LIBVIRT_FWO  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    LIBVIRT_OUT  all  --  anywhere             anywhere            

Chain LIBVIRT_FWI (1 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
2    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWO (1 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  192.168.122.0/24     anywhere            
2    REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain LIBVIRT_FWX (1 references)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere            

Chain LIBVIRT_INP (1 references)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps

Chain LIBVIRT_OUT (1 references)
num  target     prot opt source               destination         
1    ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
2    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
3    ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
4    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootpc
[sara@kallisti ~]$ sudo iptables -D FORWARD 1
[sara@kallisti ~]$ sudo iptables -D FORWARD 2
[sara@kallisti ~]$ sudo iptables -D FORWARD 3
[sara@kallisti ~]$ sudo iptables -P FORWARD DROP