Firewall – VM-VM only network with KVM

firewallkvm-virtualizationnetworkingvirtual-machines

I'm trying to create a VM only network where guests can speak to each other, but not with the host. I want to isolate the host for security reasons, as multiple test users will be using the VMs.

Currently I have a fedora 22 box with multiple windows/fedora/freebsd guests. It has two network interfaces, one for the host and the second tied to a bridge called "bridge0"

# cat /etc/sysconfig/network-scripts/ifcfg-bridge0
DEVICE="bridge0"
ONBOOT="yes"
TYPE=Bridge
BOOTPROTO=static
IPADDR=192.168.1.2
NETMASK=255.255.255.0

# cat /etc/sysconfig/network-scripts/ifcfg-enp4s0f1
TYPE=Ethernet
BOOTPROTO=static
NAME=enp4s0f1
DEVICE=enp4s0f1
ONBOOT=yes
NM_CONTROLLED=no
BRIDGE=bridge0

# brctl show
bridge name     bridge id               STP enabled     interfaces
bridge0         8000.0010183803ce       no              enp4s0f1
                                                        vnet0
                                                        vnet1
                                                        vnet2
virbr0          8000.5254000a60a5       yes             virbr0-nic

Is this as simple as creating another bridge "bridge1" and not attaching a physical interface AND not assigning an ip address?

Best Answer

Yes, As Michal Sokolowski said :)

The method would be to:

create the guest-only-bridge (and have it "up" :)
disable the IPv6 on that bridge interface (Something that's "default to create/setup a link local IP O_o )
attach the KVM guests' interfaces to that guest-only-bridge
on the guests, have either one of them act as DHCP server and the rest as dhcp clients, or else assigned fixed IPs to each of the guest VM's interfaces attached to that guest only bridge.

This is something that I do all the time, as I have a pfSense (nice GUI ;) ) as a firewall for my "internal" VMs where the pfSense does the DHCP for me too :)

I'm doing this especially on ProxMox (KVMs) for client setups, but also with VMWare Fusion and with Paralels Desktop on my MacOSX systems :)

Related Solutions

Centos – Assign ipv6 address to KVM guests on bridge mode

So with the notice from Mark, I will answer my own question.

Host setup:

Assign the IPv6 sub block to your virtual bridge, in my example:

Add

<ip family='ipv6' address='2607:beef:be:beef:1::' prefix='96'>

To /etc/libvirt/qemu/networks/default.xml, use virsh destroy and rebuild the virbr0 device, in my case it generated a virbr1 device.

Add ip6tables rule:

ip6tables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

ip6tables -A FORWARD -i br0 -j ACCEPT

On the VM side:

Add the selected IPv6 Address to your configuration file:

IPV6INIT=yes
IPV6ADDR=2607:beef:be:beef:1::253:8/128

Restart your VM's network interface, it just works.

I guess that because the VM is connecting with outside world via virbr1 interface at host. The gateway on host is br0. With ip6tables rule it will all sort out.

I've compiled step by step guide in my blog, https://luxing.im/adding-ipv6-support-for-kvm-vms/

Redhat – Centos multiple NICs routing issue

For any network device which is not my default gateway, I usually set the default route flag to no:

DEFROUTE="no"

This seems to work without any issues for my servers with multiple network interfaces. If you then restart your network service or interfaces, you should be able to check the routes to see that this is actually working:

/sbin/route -n

Hopefully this helps.

Best Answer

Related Solutions

Centos – Assign ipv6 address to KVM guests on bridge mode

Redhat – Centos multiple NICs routing issue

Related Topic