I have a KVM virtual machine I would like to totally isolate from my local LAN. I've told libvirt to use a separate bridge for this KVM and I've setup NAT routing for the separate bridge so the KVM can get to the outside world. That all works. Now I want to figure out how to block any attempt from the KVM to get to my LAN, and my LAN (other than what is required for the NAT forwarding to continue working :-) from getting to the KVM. In my setup "br0" is the bridge that the physical interface and all my "normal" KVMs are attached to. It uses the 192.168.100.0/24 address range. The "bifrost" bridge is not connected to a physical interface. I have assigned it address 10.10.10.1 and the KVM I want to isolate uses it as a gateway and has static IP 10.10.10.2. Here are the commands that do indeed seem to setup a working NAT for the KVM. echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE iptables -A FORWARD -i br0 -o bifrost -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i bifrost -o br0 -j ACCEPT Bearing in mind that I mostly cut & paste iptable rules and can only partially understand the stuff I read in the iptables man pages and wot-not, is anyone willing to tell me exactly what to change/add to prevent the KVM connected to bifrost from talking to my local LAN and vice versa? (I have a feeling I could understand the rules if someone told me what they should be, but absorbing everything in the man page then deducing what I need to do is beyond my poor brain :-). Tanks in advance for any help. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
