On Sat, May 07, 2011 at 07:04:12PM -0400, Tom Horsley wrote:
I've currently got all my virtual machines networked
using the br0 bridge to make them all look like they
are just other machines on my LAN, all in the same
subnet, all using the same gateway, DHCP server, etc.
What I'd like to do (for purposes of paranoia),
is something like create another bridge, say br1,
and through the magic of iptables and wot-not
make any virtual machines I attach to br1 be
completely isolated from my local LAN, but still
get their network traffic forwarded so they
can talk to the outside world.
I know just enough to imagine this might be possible,
yet have no idea how to implement any of the
details. Are there any detailed prescriptions
out there for doing this kind of thing?
It should be possible using libvirt, without needing to fiddle with
iptables etc (or rather, libvirt will do that for you).
You need to create another virtual network in libvirt and then change
your current guests' <interface><source network='default'/> from
'default' to whatever you decide to call your new network.
This is a good place to start:
http://libvirt.org/formatnetwork.html#examples
and also:
# virsh net-dumpxml default
Rich.
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
New in Fedora 11: Fedora Windows cross-compiler. Compile Windows
programs, test, and build Windows installers. Over 70 libraries supprt'd
http://fedoraproject.org/wiki/MinGW http://www.annexia.org/fedora_mingw