[fedora-virt] VM with access to outside world, but not LAN?
Emanuel Rietveld
codehotter at gmail.com
Mon Jan 2 10:06:34 UTC 2012
On 01/01/2012 06:34 AM, Tom Horsley wrote:
> I've been trying to figure out how to make a virtual machine
> that has network access to the outside world, but not to any
> machines on my local LAN.
>
> This seems like something that would be an FAQ, but I can't
> find anything quite like it in any examples.
>
> This is sort of a continuation of a thread in the
> fedora users list where specific details of my
> setup can be found:
>
> http://lists.fedoraproject.org/pipermail/users/2011-December/411283.html
>
> Unfortunately, none of the answers I got there actually
> seem to work. I can still ping things on my LAN from
> inside the virtual machine I'm trying to isolate. I
> figured maybe the virt list might have someone who
> has done something like this.
>
I did pretty much what Ian Pilcher wrote you in this message:
http://lists.fedoraproject.org/pipermail/users/2011-December/411335.html
Works for me.
In the default, NAT, setup: iptables -I A FORWARD -d 192.168.2.0/24 -i
virbr0 -j REJECT --reject-with icmp-host-prohibited
After that I can connect to the internet but not to the 192.168.2.0/24
subnet.
One reason you may be getting confused, which Ian also already
mentioned, is your unhelpful choice of bridge names. I recommend
'virbr0' for a bridge that has virtual machines in it for a NAT
configuration, and br0 for a direct guest on physical network configuration.
Emanuel
More information about the virt
mailing list