QEMU Windows guest without internet but with a shared folder

firewallnetworkingqemu

I'm setting up a Debian machine running a Windows 7 guest in a qemu/kvm virtualization stack. Since the Windows machine is running out-dated software, I decided to put it into a VM without Internet access. However, I need to get files in and out of the VM.

I heard that it's possible to set up a host-only network and change the firewall rules in order to prohibit all accesses but to the host machine. The host however needs full Internet access.

I have no experience with firewall configuration under Linux. How can I achieve the goal described above?

Best Answer

This should do it:

$ qemu-system-x86_64 -net nic -net user,restrict=on,smb=/path/to/shared/folder ...

From the manpage:

-netdev user,id=id[,option][,option][,...]
-net user[,option][,option][,...]
    Use the user mode network stack which requires no administrator
    privilege to run. Valid options are:
    ...
    restrict=on|off
        If this option is enabled, the guest will be isolated, i.e. it
        will not be able to contact the host and no guest IP packets
        will be routed over the host to the outside. This option does
        not affect any explicitly set forwarding rules.
    ...              
    smb=dir[,smbserver=addr]
        When using the user mode network stack, activate a built-in SMB
        server so that Windows OSes can access to the host files in dir
        transparently. The IP address of the SMB server can be set to
        addr. By default the 4th IP in the guest network is used, i.e.
        x.x.x.4.
        In the guest Windows OS, the line:
                10.0.2.4 smbserver
        must be added in the file C:\WINDOWS\LMHOSTS (for windows
        9x/Me) or C:\WINNT\SYSTEM32\DRIVERS\ETC\LMHOSTS (Windows
        NT/2000).
        Then dir can be accessed in \\smbserver\qemu.
        Note that a SAMBA server must be installed on the host OS.
        QEMU was tested successfully with smbd versions from Red Hat 9,
        Fedora Core 3 and OpenSUSE 11.x.

For this to work, samba must be installed on the host system; it doesn't need to be configured or running, just the smbd binary is needed, which will be run with an ad-hoc configuration and no privileges.

Note

In windows 7, you can connect to the shared folder from Computer -> Add Network Location -> Choose a custom network location -> \\10.0.2.4\qemu.

If windows insists on opening the "Connect to the Internet" wizard, then just close it; the "Add Network Location" wizard is still running, and you can reopen its window by clicking on the taskbar icon.

QEMU's built-in Samba service

The not-functioning -net user,smb option was caused by an incompatibility with newer Samba versions (>= 4). This is fixed in QEMU v2.2.0 and newer with these changes:

b87b8a8 slirp/smb: Move ncalrpc directory to tmp (since v2.1.0)
44d8d2b net/slirp: specify logbase for smbd (since v2.2.0)
7912d04 slirp/smbd: modify/set several parameters in generated smbd.conf (since v2.2.0, disables printer too)

(Debian has backported the latter two patches to 2.1+dfsg-6 which is present in Jessie.)

Usage

You can export one folder as \\10.0.2.4\qemu when using User networking:

qemu-system-x86_64 \
    -net user,smb=/absolute/path/to/folder \
    -net nic,model=virtio \
    ...

When QEMU is successfully started with these options, a new /tmp/qemu-smb.*-*/ directory will be created containing a smb.conf. If you are fast enough, then this file could be modified to make paths read-only or export more folders.

Mode of operation

The samba daemon is executed whenever ports 139 or 445 get accessed over a "user" network. Communication happens via standard input/output/error of the smbd process. This is the reason why newer daemons failed, it would write its error message to the pipe instead of protocol messages.

Due to this method of operation, the daemon will not listen on host ports, and therefore will only be accessible to the guest. So other clients in the network and even local users cannot gain access to folders using this daemon.

Since QEMU v2.2.0 printer sharing is completely disabled through the samba configuration, so another worry is gone here.

The speed depends on the network adapter, so it is recommended to use the virtio netkvm driver under Windows.

Also note that the daemon is executed by its absolute path (typically /usr/sbin/smbd) as specified at compile time (using the --smbd option). Whenever you need to try a new binary or interpose smbd, you will need to modify the file at that path.

Other caveats

Executables (*.exe) must be executable on the host (chmod +x FILE) for the guest to have execute permissions. To allow execution of any file, add the acl allow execute always = True option to a share.

Example read-only smb.conf configuration which allows execution of any file (based on QEMU v2.2.0):

...
[qemu]
path=/home/peter/windows
read only=yes
guest ok=true
force user=peter
acl allow execute always = True

QEMU/KVM Windows 10 Guest won’t copy/paste text or files back to host

I made it work with Debian 10 host, and a Windows 10 guest, in both directions.

install virt-manager install the spice-guest-tools in windows (it has a non-costly license on http://spice-space.org/)

find the details tab for the VM put the video qxl to qxl (other may work but slower) bottom left, click add hardware, add a channel, and put the spicevmc type with the redhat name. This is very important for the clipboard to work.

You must restart virt-manager. It is also important you shut down the OS of the VM.

you can also use the option virt-manager --debug to see logs when you copy paste.

Here can be found more details: https://blogs.nologin.es/rickyepoderi/index.php?/archives/87-Copy-n-Paste-in-KVM.html

thanks to redhat that provided all the drivers

Since my answer was popular, I would like also to share how to share a folder. I don't think it is supported for linux kernel older than 4.19. But it works on 4.19. You need to be careful that you do not share a folder with the whole internet wihtout password. But you need to check this yourself.

Use virt-manager to share files between Linux host and Windows guest?

You set a folder as shared by right clicking on Windows.

linux with Nautilus can connect to the smb://IP_WINDOWS. But it is better to use the shell it is more stable.

enable firmware rules on windows Open Control Panel, click System and Security, and then click Windows Firewall.

In the left pane, click Advanced settings, and in the console tree, click Inbound Rules.

Under Inbound Rules, locate the rules File and Printer Sharing (NB-Session-In) and File and Printer Sharing (SMB-In).

For each rule, right-click the rule, and then click Enable Rule.

find ips using ipconfig and ifconfig

remove password protection for smb https://pureinfotech.com/setup-network-file-sharing-windows-10/

It is important to deactivate authenticate for all networks in the network configuration in windows, accessible from file sharing. then the folder must be created from scratch to make sure it works

See in particular the section "How to share files over the network without needing a password" at the pureinfotech.com link above.

If you make the public network have free access without password, it may be a security risk (do not put your credit card number in the shared folder yet). But it will work. You can expand upon those instructions. I don't think a VM inside linux is easily accessible from the public network, but maybe.

-- And this is how to mount sudo mount -t cifs //192.168.1.123/Users/MrHappy/Desktop/repos /media/vm -o user=externo,password=asd,uid=1000,gid=1000,mfsymlinks

or add this in /etc/fstab //192.168.1.123/Users/MrHappy/Desktop/repos /media/vm cifs user=externo,password=asd,uid=1000,gid=1000,mfsymlinks And then one can mount using sudo mount /media/vm

it is important to replace the gid and uid with the ones of the linux machine, using "id -g user" and "id -u user" the ui adn gid are so taht not only root has access but also the user

the option mfsymlinks enables symlinks to work

before you shut down the host computer, you should run this or the mount point is stuck: sudo umount -a -t cifs -l It is better to do it a few minutes before shutting down the computer.

if you want to make a plug-and play usb microphone (such as audio technica) work in a windows guest, you just need to add a "usb redirection" module in virtmanager, and perhaps set the hardware usb device to usb 3 if the socket is blue for usb 3. lsusb -v can inspect that the host finds the device. Windows device manager should then see the device. Try to unplug and replug. do not add the specific usb name in virt-manager or it crashes. sometimes, you may need in windows to unplug-replug the microphone, and open settings/system/sound to see the microphone appear.

On a working PC, I was using the Intel integrated graphics and not an amd/nvidia card. I had tearing for videos inside the VM. I removed it by activating TearFree in the intel driver. You can check that TearFree is enabled by running "grep -i tear /var/log/Xorg.0.log"

Best Answer

Related Solutions

QEMU File Sharing – Shared Folder Between Windows Guest and Linux Host

QEMU's built-in Samba service

Usage

Mode of operation

Other caveats

QEMU/KVM Windows 10 Guest won’t copy/paste text or files back to host

Related Question