Hi. On Sat, May 19, 2018 at 06:35:59AM +0200, Chris wrote: > On Thu, 17 May 2018 23:11:51 +0300 > Reco wrote: > > > Either ebtables (for a conventional brigde) or macvtap in private mode > > will do it. Openvswitch will work too, but it's nowhere near in > > simplicity compared to macvtap. > > Thank you for your quick reply, Reco. > > Unfortunately, I described improperly what I want to achieve. > > I don't want to block all host - guest connections, but allow some with > iptables, e.g. SSH login from host to guest, but not the other way > round. > > Do I have to use Open vSwitch then?
Not your only option (had my share of openvswitch, ditched the thing recently). I fact, I count four possible ways of doing it (and that's without the external hardware): 1) Conventional Linux bridge, but with br_netfilter kernel module on top of it. You keep your iptables rules (FORWARD chain), they work, but the things may break once they'll release buster. Or not. 2) Conventional Linux bridge, with ebtables on top. Should work for the foreseeable future. Or not. Ask Red Hat. 3) macvtap in bridge mode, with host netfilter rules on top. Very straightforward setup, all host blocking rules go into INPUT (*not* FORWARD) chain. Also should work for the foreseeable future. 4) Openvswitch. Writing openvswitch filtering rules is more-or-less straightforward. Debugging them is a PITA. But, you get NetFlow and LACP for free (*the* reasons I got into openvswitch). Personally I said that enough is enough, and switched to macvtap/macvlan setup. Reco
