How to block internet access for a VM guest? (but keep LAN to host)

I have a Win7 KVM guest for which I have a NIC with:

Network source: Virtual network ‘vnet1’: NAT on eth1

How can I block internet access for the guest but keep the LAN connectivity between the guest and the host? (as I need to be able to copy files back and forth to the guest on which I have a smb share)

Do not use NAT - use host only network, then there will be nothing to block.

Benefits Of Using PNG Images you please explain how to do that? I see the following options:

When I choose any of the host devices I get a yellow tooltip saying that macvtap does not work for host to guest network communication:

and I don’t even have a ping between guest and host (in any direction).

FWIW: I may need to have internet on the guest sometimes (rarely), so I am looking for a solution which would allow me to easily trigger it on/off from the host.

Well, you are posting some screenshot from unknown program (and no, “KVM” is not a program, it is technology) and ask how to do it? Assuming you are using libvirt with virt-manager, this is called “isolated network”.

FWIW: I may need to have internet on the guest sometimes (rarely), so I am looking for a solution which would allow me to easily trigger it on/off from the host.

Assuming we are still speaking about libvirt/virt-manager, I do not think virt-manager supports changing network mode on the fly. If restart is acceptable, you can use net-edit to switch between NAT and isolated; otherwise you can simply add iptables rule rule to block any forwarding from libvirt bridge to external interface, thus effectively stopping any external communication. Or just disable forwarding altogether (/proc/sys/net/ipv4/ip_forward).

The screenshot is from virt-manager. The VM guest is shut down, so I can change settings. How do I add this iptables rule and what should that rule be? I hope you can provide the steps. Thanks.

If a virtual network is available, you can change how a Guest connects to any virtual network on the fly, no reboots or even service restarts should be needed in Guest or HostOS.
That is true of all virtualization technologies, ie Libvirt managed KVM/Xen/LXC, VMware, Virtualbox, etc. which all work similarly. I haven’t tested on Docker which implements networking differently, but assume there is no special restarts or reboots are needed there, either.

So,
If virtualization was set up by installing through YaST, i assume that a Host-Only network has also been created, but even if no Host-only network exists, that’s no big deal. You can easily create any virtual networks you may want, even for instance multiple NAT networks each configured differently (different address scopes, with or without DHCP, etc).

To view, and if you wish create new virtual networks of any type using virt-manager,

  • Open virt-manager
  • The first entry should be the local “server” managing guests on your machine, Rt-click on this entry and select “Details”
  • Click on the Virtual Networks tab.

Any configured virtual networks should now be displayed.
If any are missing or you wish to create a new virtual network, click on the green “+” button at the bottom of the left-most pane, and follow instructions.

Once you have configured a virtual network in this section, it should immediately become available to any Guest thereafter.

Post again if you have any difficulties.

TSU

Thanks TSU!

I figured out how to create an internal host-guest vnet. Now I can switch between the two vnet’s on the fly - no need to reboot anything.

Beautiful!

I see what @tsu2 is talking about, but all the options available seem to break the samba share that I have configured. I was to block internet for the windows VM, but keep the samba share. The options available are: NAT, Routed, Isolated, Open, and SR-IOV pool. @user can you perhaps share which one is still working for you?

Can anyone else help me?

Please, please, do not hang your new question at the end of such an old thread. First almost nobody will see it. Then that thread is without doubt about some old openSUSE version that nobody runs anymore.

A new thread, with a good title is the best way to drawr the attention of those you need for help.

1 Like