On Tue, Jun 06, 2017 at 08:50:45PM +0200, Chris wrote:> Chris wrote: > > I'm trying to setup a network with some virtual machines, that can connect > > to each other and to the internet, but neither to the host nor to other > > VMs. > > Thank you for your replies. Unfortunately, I didn't mention, that I'd like > to be able to test malicious software, so my network filtering shouldn't > depend on the guests' IP addresses. I think I have to setup a new virtual > "virus" interface and configure iptables on the host for this interface. > Is this possible?You can use the network filters to setup antispoofing protection for both IP addresses and MAC addresses. In fact this is what the "clean-traffic" example filter libvirt provides will do for you. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
Daniel, Are you talking about XML? If yes, could please show us an example? Thank you. Thiago 2017-06-06 18:03 GMT-03:00 Daniel P. Berrange <berrange@redhat.com>:> On Tue, Jun 06, 2017 at 08:50:45PM +0200, Chris wrote: > > Chris wrote: > > > I'm trying to setup a network with some virtual machines, that can > connect > > > to each other and to the internet, but neither to the host nor to other > > > VMs. > > > > Thank you for your replies. Unfortunately, I didn't mention, that I'd > like > > to be able to test malicious software, so my network filtering shouldn't > > depend on the guests' IP addresses. I think I have to setup a new virtual > > "virus" interface and configure iptables on the host for this interface. > > Is this possible? > > You can use the network filters to setup antispoofing protection for both > IP addresses and MAC addresses. In fact this is what the "clean-traffic" > example filter libvirt provides will do for you. > > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/ > dberrange :| > > _______________________________________________ > libvirt-users mailing list > libvirt-users@redhat.com > https://www.redhat.com/mailman/listinfo/libvirt-users >
On Tue, Jun 06, 2017 at 11:37:27PM -0300, Thiago Oliveira wrote:> Daniel, > > Are you talking about XML? If yes, could please show us an example?<domain> ... <devices> .... <interface type='bridge'> <mac address='00:16:3e:5d:c7:9e'/> <filterref filter='clean-traffic'/> </interface> .... </devices> ... </domain> There is quite alot more info here: http://libvirt.org/formatnwfilter.html http://libvirt.org/firewall.html Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|