On Mon, Jun 05, 2017 at 01:58:26PM +0200, Chris wrote:
All,
I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs.
Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them.
This can be done with the libvirt nwfilter APIs/commands, which will automate the create/teardown of ebtables rules at vm start/stop. You would have to ensure VMs get fixed IP addresses, and then define some rules that block the VM subnet, except for whitelisted entries, as well as blocking the host IP, but leaving other stuff open (to allow internet access). Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|