Re: [libvirt-users] Isolate VMs' network
On Mon, Jun 05, 2017 at 01:58:26PM +0200, Chris wrote:
All,
I'm trying to setup a network with some virtual machines, that can connect
to each other and to the internet, but neither to the host nor to other
VMs.
Is there any preconfigured network filter or best-practice for this setup?
Of course, I could setup iptables rules on the host, but I'd prefer
libvirt to handle them.
This can be done with the libvirt nwfilter APIs/commands, which will
automate the create/teardown of ebtables rules at vm start/stop. You
would have to ensure VMs get fixed IP addresses, and then define some
rules that block the VM subnet, except for whitelisted entries, as well
as blocking the host IP, but leaving other stuff open (to allow internet
access).
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|