Results 1 to 7 of 7

Thread: How to block internet access for a VM guest? (but keep LAN to host)

  1. #1

    Question How to block internet access for a VM guest? (but keep LAN to host)

    I have a Win7 KVM guest for which I have a NIC with:

    Network source: Virtual network 'vnet1': NAT on eth1

    How can I block internet access for the guest but keep the LAN connectivity between the guest and the host? (as I need to be able to copy files back and forth to the guest on which I have a smb share)

  2. #2
    Join Date
    Sep 2012
    Posts
    4,129

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    Do not use NAT - use host only network, then there will be nothing to block.

  3. #3

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    Quote Originally Posted by arvidjaar View Post
    Do not use NAT - use host only network, then there will be nothing to block.
    Could you please explain how to do that? I see the following options:

    http://ultraimg.com/images/2017/12/03/nqjU.png

    When I choose any of the host devices I get a yellow tooltip saying that macvtap does not work for host to guest network communication:

    http://ultraimg.com/images/2017/12/03/nq2b.png

    and I don't even have a ping between guest and host (in any direction).

    FWIW: I may need to have internet on the guest sometimes (rarely), so I am looking for a solution which would allow me to easily trigger it on/off from the host.

  4. #4
    Join Date
    Sep 2012
    Posts
    4,129

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    Quote Originally Posted by heyjoe View Post
    Could you please explain how to do that?
    Well, you are posting some screenshot from unknown program (and no, "KVM" is not a program, it is technology) and ask how to do it? Assuming you are using libvirt with virt-manager, this is called "isolated network".
    FWIW: I may need to have internet on the guest sometimes (rarely), so I am looking for a solution which would allow me to easily trigger it on/off from the host.
    Assuming we are still speaking about libvirt/virt-manager, I do not think virt-manager supports changing network mode on the fly. If restart is acceptable, you can use net-edit to switch between NAT and isolated; otherwise you can simply add iptables rule rule to block any forwarding from libvirt bridge to external interface, thus effectively stopping any external communication. Or just disable forwarding altogether (/proc/sys/net/ipv4/ip_forward).

  5. #5

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    The screenshot is from virt-manager. The VM guest is shut down, so I can change settings. How do I add this iptables rule and what should that rule be? I hope you can provide the steps. Thanks.

  6. #6
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    8,201

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    If a virtual network is available, you can change how a Guest connects to any virtual network on the fly, no reboots or even service restarts should be needed in Guest or HostOS.
    That is true of all virtualization technologies, ie Libvirt managed KVM/Xen/LXC, VMware, Virtualbox, etc. which all work similarly. I haven't tested on Docker which implements networking differently, but assume there is no special restarts or reboots are needed there, either.

    So,
    If virtualization was set up by installing through YaST, i assume that a Host-Only network has also been created, but even if no Host-only network exists, that's no big deal. You can easily create any virtual networks you may want, even for instance multiple NAT networks each configured differently (different address scopes, with or without DHCP, etc).

    To view, and if you wish create new virtual networks of any type using virt-manager,

    - Open virt-manager
    - The first entry should be the local "server" managing guests on your machine, Rt-click on this entry and select "Details"
    - Click on the Virtual Networks tab.

    Any configured virtual networks should now be displayed.
    If any are missing or you wish to create a new virtual network, click on the green "+" button at the bottom of the left-most pane, and follow instructions.

    Once you have configured a virtual network in this section, it should immediately become available to any Guest thereafter.

    Post again if you have any difficulties.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  7. #7

    Default Re: How to block internet access for a VM guest? (but keep LAN to host)

    Thanks TSU!

    I figured out how to create an internal host-guest vnet. Now I can switch between the two vnet's on the fly - no need to reboot anything.

    Beautiful!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •