How can I create a VM in virt-manager that can access the internet through the host but can't even see the host or other devices on the LAN?
I want to be able to create multiple VMs for testing purposes -- questionable websites, files that could be infected with a virus, etc. I want to make sure these VMs should be able to access the internet (through the host) but they should not be able to access the host or any other device on the LAN. I tried `NAT` mode but that let's me access the host and other devices on the LAN. I tried `Isolated` mode but that doesn't give me internet access. I don't want to run a second VM and route traffic through it. I want to avoid creating FW rules on the host or VMs because I'll be creating and destroying VMs all the time. And I think I need to use some kind of NAT because I don't want my router to know/see the VMs as clients. What do I need to do?
I want to make sure these VMs should be able to access the internet (through the host) but they should not be able to access the host or any other device on the LAN.
The first and simplest solution comes into my mind is to use the direct type interface (aka. macvtap). <interface type='direct'> <source dev='eth0' mode='private'/> </interface> Note: "eth0" is the active interface on the host, with internet connection. With macvtap, your VM will be in the same subnet as the host. If there is a dhcp server in this subnet, the VM will get a dhcp address. With mode as "private", it can not access the endpoints (other VMs with the same setting: direct + eth0 + private). The VM will have the same internet connectivity as its host, but the VM and host can not access each other. But other devices on the same LAN *can* access the VM and vice versa (like other hosts in the same subnet as the host). Maybe you can use firewalld rules to fine tune it. And I wonder if we block the connection from the VM to all the hosts in the same subnet, how can it access the internet as it can not access the default gateway? Another solution is to use virtual network with forward mode as "open". With this mode, libvirt will not add any rules, so users can customize how it works by their needs, this may be more complicated. Hope it helps. BR, Yalan On Fri, May 17, 2024 at 11:50 AM <imthenachoman@gmail.com> wrote:
I want to be able to create multiple VMs for testing purposes -- questionable websites, files that could be infected with a virus, etc.
I want to make sure these VMs should be able to access the internet (through the host) but they should not be able to access the host or any other device on the LAN.
I tried `NAT` mode but that let's me access the host and other devices on the LAN.
I tried `Isolated` mode but that doesn't give me internet access.
I don't want to run a second VM and route traffic through it.
I want to avoid creating FW rules on the host or VMs because I'll be creating and destroying VMs all the time.
And I think I need to use some kind of NAT because I don't want my router to know/see the VMs as clients.
What do I need to do?
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.
I think such a thing can be done with macvtap. Check about using different vlans and test macvtap modes that prevent communicating with the host.
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.
I don't have a VLAN aware router. Or do you mean create VLANs on the host? I'm not even sure how to do that.
On 5/17/24 14:21, Anchal Nigam wrote:
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.
macvtap IS purely host thing. No need to set anything on the router. In fact, you'd need a special switch if you wanted two guests using macvtap on the same host to talk to each other (it's called hairpinning). Michal
On Fri, May 17, 2024 at 11:25 AM Michal Prívozník <mprivozn@redhat.com> wrote:
On 5/17/24 14:21, Anchal Nigam wrote:
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.
macvtap IS purely host thing. No need to set anything on the router. In fact, you'd need a special switch if you wanted two guests using macvtap on the same host to talk to each other (it's called hairpinning).
Michal
If it was my setup I would - Create an internal network for these test guests - Connect the network to the router using a vlan or a specific network/30 with a route definition on the vm server. Ideally you could then say in said router that any traffic coming from network/30 goes straight outside.
But to use VLANs I would create them on my router, right? Cause I need to block the VM from accessing the host or any other device on my network/LAN.
On Fri, May 17, 2024 at 2:20 PM Anchal Nigam <imthenachoman@gmail.com> wrote:
But to use VLANs I would create them on my router, right?
Cause I need to block the VM from accessing the host or any other device on my network/LAN.
1. I said vlan OR network 2. Don't want to touch router? Fine! Find a vpn that plays nice with openvpn. Setup your guest network to go out through vpn. profit. Be mindful of what comes out of your guests as vpn provider may shut you down.
On 5/17/24 11:16 AM, Michal Prívozník wrote:
On 5/17/24 14:21, Anchal Nigam wrote:
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.
macvtap IS purely host thing. No need to set anything on the router. In fact, you'd need a special switch if you wanted two guests using macvtap on the same host to talk to each other (it's called hairpinning).
More specifially, if the macvtap interface (type='direct' in the libvirt domain XML) has <source dev='ethX' mode='private'/> *then* that guest can only communicate with other guests connected via dev='ethX' if the traffic is hair-pinned back from the bridge that connects device 'ethX' to the physical network. But if it is <source dev='ethX' mode='bridge'/> then that guest *can* communicate with all other guests connected to ethX. In both cases, the guests cannot communicate with the host. But even mode='private' doesn't provide the level of isolation that's being requested. You might think you could combine macvtap/private with a few iptables/nftables rules on the host that reject any forwarded traffic that has source or destination on the local network, but none of the iptables hooks works with traffic on a macvtap interface. It *is* apparently possible (although I've not tried it) to do nftables filtering of traffic on a macvtap interface by using the "netdev" ingress and egress hooks, as outlined here: https://serverfault.com/questions/1147529/applying-nftables-rules-to-macvtap... (it even gives an example of implementing this in a libvirt hook script, which would be necessary for you to use it with a libvirt-created macvtap interface). An alternate implementation managed entirely on the host, would be to connect the guest via a libvirt network in nat/bridge/open forward mode (to ensure that a regular tap device is used) and then use libvirt's nwfilter to create a filter that rejects all traffic to the local network, but allows everything else. Basic information about libvirt's nwfilter driver is here: https://libvirt.org/formatnwfilter.html
This is helpful. Thank you!
participants (7)
-
Anchal Nigam -
imthenachoman@gmail.com
-
Laine Stump -
Marc -
Mauricio Tavares -
Michal Prívozník -
Yalan Zhang