[fedora-virt] VM with access to outside world, but not LAN?
Tom Horsley
horsley1953 at gmail.com
Mon Jan 2 15:09:26 UTC 2012
On Mon, 02 Jan 2012 11:06:34 +0100
Emanuel Rietveld wrote:
> In the default, NAT, setup: iptables -I A FORWARD -d 192.168.2.0/24 -i
> virbr0 -j REJECT --reject-with icmp-host-prohibited
>
> After that I can connect to the internet but not to the 192.168.2.0/24
> subnet.
I have no idea why, but this stuff does not work for me at all.
Apparently the only machine it actually prevents me from reaching
is the KVM host. I can't ping it, but other machines on my LAN I
can ping.
> One reason you may be getting confused, which Ian also already
> mentioned, is your unhelpful choice of bridge names. I recommend
> 'virbr0' for a bridge that has virtual machines in it for a NAT
> configuration, and br0 for a direct guest on physical network configuration.
I don't know why people care so much about this. There are so
many things to be confused by with iptables, the name of an interface
seems to be the least of the problems you'd encounter :-).
Anyway, I'm about to try a completely different approach. My
DD-WRT router has support for VLANs. Maybe I can connect my KVM host
to a router port that uses VLAN tagging and setup eth0.1 and eth0.3
VLANs with eth0.1 being my normal LAN subnet and eth0.3 being
a completely different subnet. (Or maybe I can completely wipe
out all my internet access even on the host while trying this :-).
More information about the virt
mailing list