Re: How can I create a VM in virt-manager that can access the internet through the host but can't even see the host or other devices on the LAN?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/17/24 11:16 AM, Michal Prívozník wrote:
On 5/17/24 14:21, Anchal Nigam wrote:
I don't have a router that I can create custom rules to block things. I was hoping there would be a way to do this entirely on the host but it doesn't look like it is possible.

macvtap IS purely host thing. No need to set anything on the router. In
fact, you'd need a special switch if you wanted two guests using macvtap
on the same host to talk to each other (it's called hairpinning).


More specifially, if the macvtap interface (type='direct' in the libvirt domain XML) has


  <source dev='ethX' mode='private'/>


*then* that guest can only communicate with other guests connected via dev='ethX' if the traffic is hair-pinned back from the bridge that connects device 'ethX' to the physical network. But if it is


  <source dev='ethX' mode='bridge'/>


then that guest *can* communicate with all other guests connected to ethX. In both cases, the guests cannot communicate with the host.


But even mode='private' doesn't provide the level of isolation that's being requested. You might think you could combine macvtap/private with a few iptables/nftables rules on the host that reject any forwarded traffic that has source or destination on the local network, but none of the iptables hooks works with traffic on a macvtap interface. It *is* apparently possible (although I've not tried it) to do nftables filtering of traffic on a macvtap interface by using the "netdev" ingress and egress hooks, as outlined here:


https://serverfault.com/questions/1147529/applying-nftables-rules-to-macvtap-interfaces


(it even gives an example of implementing this in a libvirt hook script, which would be necessary for you to use it with a libvirt-created macvtap interface).


An alternate implementation managed entirely on the host, would be to connect the guest via a libvirt network in nat/bridge/open forward mode (to ensure that a regular tap device is used) and then use libvirt's nwfilter to create a filter that rejects all traffic to the local network, but allows everything else. Basic information about libvirt's nwfilter driver is here:


  https://libvirt.org/formatnwfilter.html





[Index of Archives]     [Virt Tools]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [KDE Users]

  Powered by Linux