From 0a6f59e08857c99b087bfc2c5ba0229204598e55 Mon Sep 17 00:00:00 2001 From: makefu Date: Thu, 4 Dec 2014 13:44:21 +0100 Subject: add libvirt filter localnet blog post --- content/posts/libvirt-filter-localnet.rst | 51 +++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 content/posts/libvirt-filter-localnet.rst diff --git a/content/posts/libvirt-filter-localnet.rst b/content/posts/libvirt-filter-localnet.rst new file mode 100644 index 0000000..1d2fcea --- /dev/null +++ b/content/posts/libvirt-filter-localnet.rst @@ -0,0 +1,51 @@ +Filter Local Network-Access for Libvirt Guest +################################## +:date: 2014-04-14 13:25 +:tags: libvirt, netfilter + +My google-fu was not strong enough to found a walkthrough of how to filter +the local network for a libvirt guest instance which is using a nat-ed +interface while keeping the access to the internet working. + +Here is what i came up with: + +Define nwfilter rule +-------------------- +My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1` + +.. code-block:: bash + + srv$ cat > no-localnet < + 18d3051a-9115-47eb-85f1-8021173f7bbe + + + + + + + + EOF + srv$ virsh nwfilter-define no-localnet + # you can edit it live with: + # virsh nwfilter-edit no-localnet + +Add filter rule to host +----------------------- + +.. code-block:: bash + + srv$ virsh edit my-guest + # in add: + + # restart guest (not sure if required) + srv$ ssh my-guest + my-guest$ ping -c 1 192.168.1.1 && \ + ping -c 1 google.de # works + my-guest$ ping -c 1 192.168.1.11 # does not work anymore + +For this rule to be applied the host cannot use macvtap 'direct' interface! + +Remarks +------- +I am not sure if it is a hundred percent secure but it works for my use-case. -- cgit v1.2.3