[fedora-virt] VM with access to outside world, but not LAN?

[Tom Horsley]

I've been trying to figure out how to make a virtual machine
that has network access to the outside world, but not to any
machines on my local LAN.

This seems like something that would be an FAQ, but I can't
find anything quite like it in any examples.

This is sort of a continuation of a thread in the
fedora users list where specific details of my
setup can be found:

http://lists.fedoraproject.org/pipermail/users/2011-December/411283.html

Unfortunately, none of the answers I got there actually
seem to work. I can still ping things on my LAN from
inside the virtual machine I'm trying to isolate. I
figured maybe the virt list might have someone who
has done something like this.

I tried making a new bridge, with no physical interface
attached. I can indeed make the virtual machine connect
to it, and it has absolutely no access to any networking
until I setup NAT in the iptables, at which point it
has access to both the outside world, and my local LAN
via the magic of NAT.

This seems to prove that the host machine can both
prevent networking from operating in the virtual machine
or allow networking, so you'd think there would be
a middle ground somewhere where I could have NAT
working to get to the outside world, but not working
to get to machines on my LAN.

Unfortunately, nothing I've tried with iptables
or ebtables has worked. My only two alternatives
seem to be full network access, or no network access
at all :-(.

I don't insist on using NAT and a bridge, that was
just what I thought of. If there is another way
to achieve this, feel free to point me in a different
direction.

Thanks for any help you can provide (this seemed
like it ought to be so simple :-).