Filter Local Network-Access for Libvirt Guest
#############################################
:date: 2014-12-04 13:25
:tags: libvirt, netfilter

My google-fu was not strong enough to find a walkthrough of how to filter
the local network for a libvirt guest instance which is using a nat-ed
interface while keeping the access to the internet working.

Here is what i came up with:

Define nwfilter rule
--------------------
My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1`

.. code-block:: bash
     
    srv$ cat > no-localnet <<EOF
    <filter name='no-localnet' chain='ipv4' priority='-700'>
      <uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid>
      <rule action='accept' direction='out' priority='500'>
        <all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/>
      </rule>
      <rule action='reject' direction='out' priority='500'>
        <all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/>
      </rule>
    </filter>
    EOF
    srv$ virsh nwfilter-define no-localnet
    # you can edit it live with: 
    #  virsh nwfilter-edit no-localnet

Add filter rule to host
-----------------------

.. code-block:: bash

    srv$ virsh edit my-guest
    # in <interface> add:
      <filterref filter='no-localnet'/>
    # restart guest (not sure if required)
    srv$ ssh my-guest
      my-guest$ ping -c 1 192.168.1.1 && \ 
                ping -c 1 google.de # works
      my-guest$ ping -c 1 192.168.1.11 # does not work anymore

For this rule to be applied the host cannot use macvtap 'direct' interface!

Remarks
-------
I am not sure if it is a hundred percent secure but it works for my use-case.