diff options
author | makefu <github@syntax-fehler.de> | 2014-12-04 13:44:21 +0100 |
---|---|---|
committer | makefu <github@syntax-fehler.de> | 2014-12-04 13:44:21 +0100 |
commit | 0a6f59e08857c99b087bfc2c5ba0229204598e55 (patch) | |
tree | daea72f812be723752bd1da2f045c48c9b9d9eba | |
parent | 1baaa9506ac07a6864b54426572168879c355a7c (diff) |
add libvirt filter localnet blog post
-rw-r--r-- | content/posts/libvirt-filter-localnet.rst | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/content/posts/libvirt-filter-localnet.rst b/content/posts/libvirt-filter-localnet.rst new file mode 100644 index 0000000..1d2fcea --- /dev/null +++ b/content/posts/libvirt-filter-localnet.rst @@ -0,0 +1,51 @@ +Filter Local Network-Access for Libvirt Guest +################################## +:date: 2014-04-14 13:25 +:tags: libvirt, netfilter + +My google-fu was not strong enough to found a walkthrough of how to filter +the local network for a libvirt guest instance which is using a nat-ed +interface while keeping the access to the internet working. + +Here is what i came up with: + +Define nwfilter rule +-------------------- +My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1` + +.. code-block:: bash + + srv$ cat > no-localnet <<EOF + <filter name='no-localnet' chain='ipv4' priority='-700'> + <uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid> + <rule action='accept' direction='out' priority='500'> + <all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/> + </rule> + <rule action='reject' direction='out' priority='500'> + <all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/> + </rule> + </filter> + EOF + srv$ virsh nwfilter-define no-localnet + # you can edit it live with: + # virsh nwfilter-edit no-localnet + +Add filter rule to host +----------------------- + +.. code-block:: bash + + srv$ virsh edit my-guest + # in <interface> add: + <filterref filter='no-localnet'/> + # restart guest (not sure if required) + srv$ ssh my-guest + my-guest$ ping -c 1 192.168.1.1 && \ + ping -c 1 google.de # works + my-guest$ ping -c 1 192.168.1.11 # does not work anymore + +For this rule to be applied the host cannot use macvtap 'direct' interface! + +Remarks +------- +I am not sure if it is a hundred percent secure but it works for my use-case. |