On 07/28/2016 02:55 AM, Erwin Straver wrote:


I want to create a network like this:


Internet -- physical router -- host (network 192.168.178.x) 

                                          -- virtual machine dmz -- eth0 (connected to pyshical router)

                                                                               -- eth1 (connect to isolated network 10.0.0.x)

                                          -- virtual machine www - eth0 (connect to isolated network 10.0.0.x)

network design

I have a virtual host which is conntected to my physical router with eth0 and ip4 address 192.168.178.100. I create a virtual machine dmz which connects 'direct' to my router via my physical device eth0 on the virtual host:

<network connections='1'>
  <name>direct</name>
  <uuid>379d4687-445e-4bc6-8354-b555c7f18b15</uuid>
  <forward dev='eth0' mode='bridge'>
    <interface dev='eth0' connections='1'/>
  </forward>
</network>

On my virtual machine i create a second nic eth1 which is connected on a virtual network virbr-local:

<network>
  <name>local</name>
  <uuid>d31b2e0d-810b-4ba0-8ac4-02bc53746142</uuid>
  <bridge name='virbr-local' stp='on' delay='0'/>
  <mac address='52:54:00:92:06:5c'/>
  <domain name='local.box'/>
  <dns>
    <forwarder addr='192.168.178.1'/>
  </dns>
  <ip address='10.0.0.1' netmask='255.0.0.0'>
    <dhcp>
      <range start='10.0.0.100' end='10.0.0.255'/>
      <host mac='52:54:00:51:31:86' ip='10.0.0.30'/>
    </dhcp>
  </ip>
  <route address='10.0.0.0' prefix='8' gateway='10.0.0.30'/>
</network>

Now I want to create a second virtual machine which connects to the internet through the virtual machine dmz on the virbr-local subnet. Is there a way to accomplish this kind of setup?


A libvirt "isolated" virtual network is intended for situations where you want communication between guests and the host, but not beyond. It will have iptables rules automatically loaded that prevent any traffic on that network from "escaping" to the outside. That's not what you want though - you want the traffic to get out, but only via the virtual machine named "dmz".

The most straightforward way to do this is to:

1) create a libvirt virtual network with *no IP* address on the host (so that it's impossible for any traffic from this network to get out directly via the host)

then setup your "dmz" guest just as you would a real hardware firewall:

2) manually assign an  IP address (probably 10.0.0.1) in the "dmz" guest's network config for eth1

3) enable ip_forwarding on dmz

4) enable dnsmasq service on dmz's eth1 (rather than relying on a dnsmasq on the host) to provide each additional guest on the "local" network with
    a) an IP address
    b) a DNS proxy listening on dmz's eth1
    c) a default route pointing to 10.0.0.1 (i.e. dmz's eth1)

The libvirt virtual network definition is as simple as it gets:

  <network>
    <name>local</name>
  </network>