On Wed, 28 Dec 2011 10:03:50 -0600 Ian Pilcher wrote: > What does your existing network look like? Here's some mail I just tried to send the netfilter mailing list (you never know if it is going to get through though): In my setup "br0" is the bridge that the physical interface and all my "normal" KVMs are attached to. It uses the 192.168.100.0/24 address range. The "bifrost" bridge is not connected to a physical interface. I have assigned it address 10.10.10.1 and the KVM I want to isolate uses it as a gateway and has static IP 10.10.10.2. Here are the commands that do indeed seem to setup a working NAT for the KVM. echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i bifrost -o br0 -j ACCEPT Bearing in mind that I mostly cut & paste iptable rules and can only partially understand the stuff I read in the iptables man pages and wot-not, is anyone willing to tell me exactly what to change/add to prevent the KVM connected to bifrost from talking to my local LAN and vice versa? (I have a feeling I could understand the rules if someone told me what they should be, but absorbing everything in the man page then deducing what I need to do is beyond my poor brain :-). Tanks in advance for any help. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
