blob: 1d2fceaa3ed376687f6871ee9ddecf861138a8e8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
Filter Local Network-Access for Libvirt Guest
##################################
:date: 2014-04-14 13:25
:tags: libvirt, netfilter
My google-fu was not strong enough to found a walkthrough of how to filter
the local network for a libvirt guest instance which is using a nat-ed
interface while keeping the access to the internet working.
Here is what i came up with:
Define nwfilter rule
--------------------
My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1`
.. code-block:: bash
srv$ cat > no-localnet <<EOF
<filter name='no-localnet' chain='ipv4' priority='-700'>
<uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid>
<rule action='accept' direction='out' priority='500'>
<all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/>
</rule>
<rule action='reject' direction='out' priority='500'>
<all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/>
</rule>
</filter>
EOF
srv$ virsh nwfilter-define no-localnet
# you can edit it live with:
# virsh nwfilter-edit no-localnet
Add filter rule to host
-----------------------
.. code-block:: bash
srv$ virsh edit my-guest
# in <interface> add:
<filterref filter='no-localnet'/>
# restart guest (not sure if required)
srv$ ssh my-guest
my-guest$ ping -c 1 192.168.1.1 && \
ping -c 1 google.de # works
my-guest$ ping -c 1 192.168.1.11 # does not work anymore
For this rule to be applied the host cannot use macvtap 'direct' interface!
Remarks
-------
I am not sure if it is a hundred percent secure but it works for my use-case.
|
