I have Windows 2008 R2 server with Hyper-V role enabled, and a number of Hyper-V VMs. Of of the VMs is CentOS SIP server. I want to block all incoming traffic from external
IP address on certain ports - 80, 443, etc. Basically I want to be able to manage my SIP server through web interface only when I'm connected to VPN.
my setup is as follows:
Hyper-V host has 2 interfaces: 192.168.2.XXX (internal) and 8.8.8.YYY (external)
Hyper-V VM has ONLY internal IP address - 192.168.2.123, and I did set up NAT reservation for it in RRAS, mapping 192.168.2.123 to 8.8.8.123 and allowing incoming sessions.
everything works great, no issues. But is it possible for HyperV host to block certain traffic to the guest VM? I tried setting up Windows Firewall rule as follows:
block all incoming traffic to local IP address 192.168.2.123 or 8.8.8.123
but it does not work - I still could access web UI.
The Hyper-V code isn't involved if you're using a NAT. You'll have to apply the policies within the NAT. By using the NAT, you're essentially taking the virtual Ethernet switch out of the picture.
In general, the Hyper-V virtual switch is configurable, in the sense that you can apply policies to virtual network ports in much the same way that you could with a physical switch. Here's a good link for a general overview:
http://technet.microsoft.com/en-us/library/jj679878.aspx
You can also get virtual switch extensions from several vendors that plug into Hyper-V and provide more sophisticated policies.