[fedora-virt] VM with access to outside world, but not LAN?
Ian Pilcher
arequipeno at gmail.com
Tue Jan 3 17:06:23 UTC 2012
On 01/02/2012 09:09 AM, Tom Horsley wrote:
> I don't know why people care so much about this. There are so
> many things to be confused by with iptables, the name of an interface
> seems to be the least of the problems you'd encounter :-).
Well, I can't speak for Emanuel, but I don't care *that* much. ;-)
Since you ask about the reason, however, it's the same reason people
care about naming conventions in any other context. Most of us are
used to interface names like eth0, em1, virbr0, tun1, etc., and we tend
to recognize them as network interfaces much more easily than a long
name that doesn't end with a digit.
Thus, the convention makes communication easier, which is a good thing
on at least a couple of different levels when asking for help.
> Anyway, I'm about to try a completely different approach. My
> DD-WRT router has support for VLANs. Maybe I can connect my KVM host
> to a router port that uses VLAN tagging and setup eth0.1 and eth0.3
> VLANs with eth0.1 being my normal LAN subnet and eth0.3 being
> a completely different subnet. (Or maybe I can completely wipe
> out all my internet access even on the host while trying this :-).
A VLAN-based approach is definitely going to be more robust. Anything
iptables based has to route the "segregated" traffic over your home
network, so there's an unavoidable mixing of the traffic -- particularly
things like ARP, DHCP, UPnP, etc.
--
========================================================================
Ian Pilcher arequipeno at gmail.com
"If you're going to shift my paradigm ... at least buy me dinner first."
========================================================================
More information about the virt
mailing list