To do this, a host-only network (interface) must be defined on the host. It can be done via GUI:
or via the commandline (needs sudo because this creates a new network interface on the host):
$ sudo vboxmanage hostonlyif create
This creates a host-only virtual interface on the host, named vboxnetN (N starts at 0 and increments for each new one):
$ ip addr list
...
12: vboxnet0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether ...
inet 192.168.56.1/24 brd 192.168.56.255 scope global vboxnet0
inet6 fe80::800:27ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
There are three things to do in Shorewall: define a zone, place the host-only interface into that zone, and write a rule.
In /etc/shorewall/zones define the new zone:
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
vh ipv4
In /etc/shorewall/interfaces put the host-only interface vboxnet0 in that zone:
# /etc/shorewall/interfaces
#ZONE INTERFACE BROADCAST OPTIONS
vh vboxnet0 detect dhcp
And finally, in /etc/shorewall/rules allow all traffic in the vh zone:
# /etc/shorewall/rules
ACCEPT vh:192.168.56.0/24 fw all
On the guest, create a new adapter, and either use DHCP or assign it a static IP in 192.168.56.0/24 (excluding 192.168.56.1, which is the host's IP address). Attach the adapter to the Host-only Adapter:
Or use the command line:
$ vboxmanage modifyvm myguest --nic2 hostonly
Or use the command line:
$ vboxmanage modifyvm myguest --nic2 hostonly
Restart the shorewall service, and that should do it. Test it out by ssh'ing into the guest from the host.