On Mon, 02 Jan 2012 11:06:34 +0100 Emanuel Rietveld wrote: > In the default, NAT, setup: iptables -I A FORWARD -d 192.168.2.0/24 -i > virbr0 -j REJECT --reject-with icmp-host-prohibited > > After that I can connect to the internet but not to the 192.168.2.0/24 > subnet.
I have no idea why, but this stuff does not work for me at all. Apparently the only machine it actually prevents me from reaching is the KVM host. I can't ping it, but other machines on my LAN I can ping. > One reason you may be getting confused, which Ian also already > mentioned, is your unhelpful choice of bridge names. I recommend > 'virbr0' for a bridge that has virtual machines in it for a NAT > configuration, and br0 for a direct guest on physical network configuration. I don't know why people care so much about this. There are so many things to be confused by with iptables, the name of an interface seems to be the least of the problems you'd encounter :-). Anyway, I'm about to try a completely different approach. My DD-WRT router has support for VLANs. Maybe I can connect my KVM host to a router port that uses VLAN tagging and setup eth0.1 and eth0.3 VLANs with eth0.1 being my normal LAN subnet and eth0.3 being a completely different subnet. (Or maybe I can completely wipe out all my internet access even on the host while trying this :-). _______________________________________________ virt mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/virt
