All, I'm trying to setup a network with some virtual machines, that can connect to each other and to the internet, but neither to the host nor to other VMs. Is there any preconfigured network filter or best-practice for this setup? Of course, I could setup iptables rules on the host, but I'd prefer libvirt to handle them. - Chris
Hi there! I would like to know the same! Currently I am using iptables to do it. Thanks. 2017-06-05 8:58 GMT-03:00 Chris <chris2014@postbox.xyz>:> All, > > I'm trying to setup a network with some virtual machines, that can connect > to each other and to the internet, but neither to the host nor to other > VMs. > > Is there any preconfigured network filter or best-practice for this setup? > Of course, I could setup iptables rules on the host, but I'd prefer > libvirt to handle them. > > - Chris > > > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
Hi, Thiago Oliveira <cpv.thiago@gmail.com> writes:> I would like to know the same! Currently I am using iptables to do it.I use ebtables. -Timo
On Mon, Jun 05, 2017 at 01:58:26PM +0200, Chris wrote:> All, > > I'm trying to setup a network with some virtual machines, that can connect > to each other and to the internet, but neither to the host nor to other > VMs. > > Is there any preconfigured network filter or best-practice for this setup? > Of course, I could setup iptables rules on the host, but I'd prefer > libvirt to handle them.This can be done with the libvirt nwfilter APIs/commands, which will automate the create/teardown of ebtables rules at vm start/stop. You would have to ensure VMs get fixed IP addresses, and then define some rules that block the VM subnet, except for whitelisted entries, as well as blocking the host IP, but leaving other stuff open (to allow internet access). Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Hi Chris, for all kinds of network configuration together with virtual machines anf libvirt/QEMU I use openvswitch. libvirt together with openvswitch make it veryeasy to handle. Best regards Holger Am 05.06.2017 um 13:58 schrieb Chris:> All, > > I'm trying to setup a network with some virtual machines, that can connect > to each other and to the internet, but neither to the host nor to other > VMs. > > Is there any preconfigured network filter or best-practice for this setup? > Of course, I could setup iptables rules on the host, but I'd prefer > libvirt to handle them. > > - Chris > > > > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users--- Diese E-Mail wurde von Avast Antivirus-Software auf Viren geprüft. https://www.avast.com/antivirus
Chris wrote:> I'm trying to setup a network with some virtual machines, that can connect > to each other and to the internet, but neither to the host nor to other > VMs.Thank you for your replies. Unfortunately, I didn't mention, that I'd like to be able to test malicious software, so my network filtering shouldn't depend on the guests' IP addresses. I think I have to setup a new virtual "virus" interface and configure iptables on the host for this interface. Is this possible? - Chris
On Tue, Jun 06, 2017 at 08:50:45PM +0200, Chris wrote:> Chris wrote: > > I'm trying to setup a network with some virtual machines, that can connect > > to each other and to the internet, but neither to the host nor to other > > VMs. > > Thank you for your replies. Unfortunately, I didn't mention, that I'd like > to be able to test malicious software, so my network filtering shouldn't > depend on the guests' IP addresses. I think I have to setup a new virtual > "virus" interface and configure iptables on the host for this interface. > Is this possible?You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|