Re: How can I create a VM in virt-manager that can access the internet through the host but can't even see the host or other devices on the LAN?

On 5/17/24 11:16 AM, Michal Prívozník wrote: More specifially, if the macvtap interface (type='direct' in the libvirt domain XML) has   <source dev='ethX' mode='private'/> *then* that guest can only communicate with other guests connected via dev='ethX' if the traffic is hair-pinned back from the bridge that connects device 'ethX' to the physical network. But if it is   <source dev='ethX' mode='bridge'/> then that guest *can* communicate with all other guests connected to ethX. In both cases, the guests cannot communicate with the host. But even mode='private' doesn't provide the level of isolation that's being requested. You might think you could combine macvtap/private with a few iptables/nftables rules on the host that reject any forwarded traffic that has source or destination on the local network, but none of the iptables hooks works with traffic on a macvtap interface. It *is* apparently possible (although I've not tried it) to do nftables filtering of traffic on a macvtap interface by using the "netdev" ingress and egress hooks, as outlined here: https://serverfault.com/questions/1147529/applying-nftables-rules-to-macv... (it even gives an example of implementing this in a libvirt hook script, which would be necessary for you to use it with a libvirt-created macvtap interface). An alternate implementation managed entirely on the host, would be to connect the guest via a libvirt network in nat/bridge/open forward mode (to ensure that a regular tap device is used) and then use libvirt's nwfilter to create a filter that rejects all traffic to the local network, but allows everything else. Basic information about libvirt's nwfilter driver is here:   https://libvirt.org/formatnwfilter.html