diff options
-rw-r--r-- | content/pages/about.rst | 2 | ||||
-rw-r--r-- | content/posts/libvirt-filter-localnet.rst | 51 |
2 files changed, 52 insertions, 1 deletions
diff --git a/content/pages/about.rst b/content/pages/about.rst index 67db943..833c555 100644 --- a/content/pages/about.rst +++ b/content/pages/about.rst @@ -1,7 +1,7 @@ About ##### -This is the blog of makefu. It documents my path through technoligy, mostly +This is the blog of makefu. It documents my path through technology, mostly describing issues i encountered and quirks to solve these issues. You can reach me via the following channels: diff --git a/content/posts/libvirt-filter-localnet.rst b/content/posts/libvirt-filter-localnet.rst new file mode 100644 index 0000000..1d2fcea --- /dev/null +++ b/content/posts/libvirt-filter-localnet.rst @@ -0,0 +1,51 @@ +Filter Local Network-Access for Libvirt Guest +################################## +:date: 2014-04-14 13:25 +:tags: libvirt, netfilter + +My google-fu was not strong enough to found a walkthrough of how to filter +the local network for a libvirt guest instance which is using a nat-ed +interface while keeping the access to the internet working. + +Here is what i came up with: + +Define nwfilter rule +-------------------- +My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1` + +.. code-block:: bash + + srv$ cat > no-localnet <<EOF + <filter name='no-localnet' chain='ipv4' priority='-700'> + <uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid> + <rule action='accept' direction='out' priority='500'> + <all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/> + </rule> + <rule action='reject' direction='out' priority='500'> + <all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/> + </rule> + </filter> + EOF + srv$ virsh nwfilter-define no-localnet + # you can edit it live with: + # virsh nwfilter-edit no-localnet + +Add filter rule to host +----------------------- + +.. code-block:: bash + + srv$ virsh edit my-guest + # in <interface> add: + <filterref filter='no-localnet'/> + # restart guest (not sure if required) + srv$ ssh my-guest + my-guest$ ping -c 1 192.168.1.1 && \ + ping -c 1 google.de # works + my-guest$ ping -c 1 192.168.1.11 # does not work anymore + +For this rule to be applied the host cannot use macvtap 'direct' interface! + +Remarks +------- +I am not sure if it is a hundred percent secure but it works for my use-case. |