add libvirt filter localnet blog post

content/posts/libvirt-filter-localnet.rst

@@ -0,0 +1,51 @@
+Filter Local Network-Access for Libvirt Guest
+##################################
+:date: 2014-04-14 13:25
+:tags: libvirt, netfilter
+
+My google-fu was not strong enough to found a walkthrough of how to filter
+the local network for a libvirt guest instance which is using a nat-ed
+interface while keeping the access to the internet working.
+
+Here is what i came up with:
+
+Define nwfilter rule
+--------------------
+My local network is `192.168.1.0/24` and the internet-gateway is at `192.168.1.1`
+
+.. code-block:: bash
+     
+    srv$ cat > no-localnet <<EOF
+    <filter name='no-localnet' chain='ipv4' priority='-700'>
+      <uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid>
+      <rule action='accept' direction='out' priority='500'>
+        <all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/>
+      </rule>
+      <rule action='reject' direction='out' priority='500'>
+        <all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/>
+      </rule>
+    </filter>
+    EOF
+    srv$ virsh nwfilter-define no-localnet
+    # you can edit it live with: 
+    #  virsh nwfilter-edit no-localnet
+
+Add filter rule to host
+-----------------------
+
+.. code-block:: bash
+
+    srv$ virsh edit my-guest
+    # in <interface> add:
+      <filterref filter='no-localnet'/>
+    # restart guest (not sure if required)
+    srv$ ssh my-guest
+      my-guest$ ping -c 1 192.168.1.1 && \ 
+                ping -c 1 google.de # works
+      my-guest$ ping -c 1 192.168.1.11 # does not work anymore
+
+For this rule to be applied the host cannot use macvtap 'direct' interface!
+
+Remarks
+-------
+I am not sure if it is a hundred percent secure but it works for my use-case.