Filter Local Network-Access for Libvirt Guest

Thu 04 December 2014
By makefu

My google-fu was not strong enough to find a walkthrough of how to filter the local network for a libvirt guest instance which is using a nat-ed interface while keeping the access to the internet working.

Here is what i came up with:

Define nwfilter rule

My local network is 192.168.1.0/24 and the internet-gateway is at 192.168.1.1

srv$ cat > no-localnet <<EOF
<filter name='no-localnet' chain='ipv4' priority='-700'>
  <uuid>18d3051a-9115-47eb-85f1-8021173f7bbe</uuid>
  <rule action='accept' direction='out' priority='500'>
    <all dstipaddr='192.168.1.1' dstipmask='32' comment='allow-to-gateway'/>
  </rule>
  <rule action='reject' direction='out' priority='500'>
    <all dstipfrom='192.168.1.0' dstipto='192.168.1.255' comment='reject localnet'/>
  </rule>
</filter>
EOF
srv$ virsh nwfilter-define no-localnet
# you can edit it live with:
#  virsh nwfilter-edit no-localnet

Add filter rule to host

srv$ virsh edit my-guest
# in <interface> add:
  <filterref filter='no-localnet'/>
# restart guest (not sure if required)
srv$ ssh my-guest
  my-guest$ ping -c 1 192.168.1.1 && \
            ping -c 1 google.de # works
  my-guest$ ping -c 1 192.168.1.11 # does not work anymore

For this rule to be applied the host cannot use macvtap 'direct' interface!

Remarks

I am not sure if it is a hundred percent secure but it works for my use-case.

Comments