On 01/01/2012 06:34 AM, Tom Horsley wrote:
I've been trying to figure out how to make a virtual machine
that has network access to the outside world, but not to any
machines on my local LAN.
This seems like something that would be an FAQ, but I can't
find anything quite like it in any examples.
This is sort of a continuation of a thread in the
fedora users list where specific details of my
setup can be found:
http://lists.fedoraproject.org/pipermail/users/2011-December/411283.html
Unfortunately, none of the answers I got there actually
seem to work. I can still ping things on my LAN from
inside the virtual machine I'm trying to isolate. I
figured maybe the virt list might have someone who
has done something like this.
I did pretty much what Ian Pilcher wrote you in this message:
http://lists.fedoraproject.org/pipermail/users/2011-December/411335.html
Works for me.
In the default, NAT, setup: iptables -I A FORWARD -d 192.168.2.0/24 -i
virbr0 -j REJECT --reject-with icmp-host-prohibited
After that I can connect to the internet but not to the 192.168.2.0/24
subnet.
One reason you may be getting confused, which Ian also already
mentioned, is your unhelpful choice of bridge names. I recommend
'virbr0' for a bridge that has virtual machines in it for a NAT
configuration, and br0 for a direct guest on physical network configuration.
Emanuel
_______________________________________________
virt mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/virt
