Filter Local Network-Access for Libvirt Guest

Thu 04 December 2014
By makefu

My google-fu was not strong enough to find a walkthrough of how to filter the local network for a libvirt guest instance which is using a nat-ed interface while keeping the access to the internet working.

Here is what i came up with:

Define nwfilter rule

My local network is and the internet-gateway is at

srv$ cat > no-localnet <<EOF
<filter name='no-localnet' chain='ipv4' priority='-700'>
  <rule action='accept' direction='out' priority='500'>
    <all dstipaddr='' dstipmask='32' comment='allow-to-gateway'/>
  <rule action='reject' direction='out' priority='500'>
    <all dstipfrom='' dstipto='' comment='reject localnet'/>
srv$ virsh nwfilter-define no-localnet
# you can edit it live with:
#  virsh nwfilter-edit no-localnet

Add filter rule to host

srv$ virsh edit my-guest
# in <interface> add:
  <filterref filter='no-localnet'/>
# restart guest (not sure if required)
srv$ ssh my-guest
  my-guest$ ping -c 1 && \
            ping -c 1 # works
  my-guest$ ping -c 1 # does not work anymore

For this rule to be applied the host cannot use macvtap 'direct' interface!


I am not sure if it is a hundred percent secure but it works for my use-case.