I want to make sure these VMs should be able to access the internet
(through the host) but they should not be able to access the host or any
other device on the LAN.
The first and simplest solution comes into my mind is to use the direct
type interface (aka. macvtap).
<interface type='direct'>
<source dev='eth0' mode='private'/>
</interface>
Note: "eth0" is the active interface on the host, with internet connection.
With macvtap, your VM will be in the same subnet as the host. If there is a
dhcp server in this subnet, the VM will get a dhcp address.
With mode as "private", it can not access the endpoints (other VMs with the
same setting: direct + eth0 + private).
The VM will have the same internet connectivity as its host, but the VM and
host can not access each other.
But other devices on the same LAN *can* access the VM and vice versa (like
other hosts in the same subnet as the host). Maybe you can use firewalld
rules to fine tune it.
And I wonder if we block the connection from the VM to all the hosts in the
same subnet, how can it access the internet as it can not access the
default gateway?
Another solution is to use virtual network with forward mode as "open".
With this mode, libvirt will not add any rules, so users can customize how
it works by their needs, this may be more complicated.
Hope it helps.
BR,
Yalan
On Fri, May 17, 2024 at 11:50 AM <imthenachoman(a)gmail.com> wrote:
> I want to be able to create multiple VMs for testing purposes --
> questionable websites, files that could be infected with a virus, etc.
>
I want to make sure these VMs should be able to access the internet
(through the host) but they should not be able to access the host or any
other device on the LAN.
>
> I tried `NAT` mode but that let's me access the host and other devices on
> the LAN.
>
> I tried `Isolated` mode but that doesn't give me internet access.
>
> I don't want to run a second VM and route traffic through it.
>
> I want to avoid creating FW rules on the host or VMs because I'll be
> creating and destroying VMs all the time.
>
> And I think I need to use some kind of NAT because I don't want my router
> to know/see the VMs as clients.
>
> What do I need to do?
>
>