[fedora-virt] Isolated Virtual Network

Laine Stump laine at laine.org
Thu Jul 11 20:19:16 UTC 2013 

On 07/10/2013 09:15 PM, Jorge Fábregas wrote:
> On 07/08/2013 02:01 PM, Dean Hunter wrote:
>> I need to test new versions of the server guests in isolation from existing server
>>  guests and server peers; ie. everything except for the http and nfs services of the server.
> Hi Dean,
>
> I'm new to virtualization on Linux so bear with me...
>
> As I see it you have this "Subnet1" for your br1 bridge:
>
> (your network) -->  em1 --> br1 <-- your guests
>
> Why don't you just just create a new network "Subnet2" (with a new
> bridge "br2") that won't have any real interface bridged to it? That way
> you'll get the isolation you want for your new guests plus you'll have
> another ip for your host system (the ip you'll assign to the bridge).

And you can do this very easily with a libvirt virtual network:

<network>
  <name>isolated</name>
  <domain name='isolated.net'/>
  <ip address='192.168.254.1' netmask='255.255.255.0'>
    <dhcp>
      <range start='192.168.254.2' end='192.168.254.250' />
    </dhcp>
  </ip>
</network>

Put that in /tmp/x.xml and run:

   virsh net-define /tmp/x.xml
   virsh net-start isolated
   virsh net-autostart isolated

Now edit your guest xml (with "virsh edit" of course!) and change the
<interface>
element to something like this:

  <interface type='network'>
    ...
    <source network='isolated'/>
    ...
  </interface>

save that, shutdown the guest (if it isn't already) then start it up
again. The guest will get an IP address from 192.168.254.x, and be able
to communicate with the server at 192.168.254.1 or with other guests on
the same subnet, but won't be able to talk with anything else (even DNS
requests will not be forwarded upstream).

To protect against the guests on this isolated networks contacting
anything except nfs and https (as well as DHCP and DNS, I'm guessing),
you have three choices:

1) make sure the other services are listening only on certain interfaces.
2) modify the host's firewall accordingly
3) put a libvirt nwfilter firewall on the guest (see:
http://www.libvirt.org/formatnwfilter.html)

More information about the virt mailing list