How to isolate the network from a virtual machine?

H

hatemepleaseiloveit2021-09-08 09:27:32

QEMU

hatemepleaseiloveit, 2021-09-08 09:27:32

The task is as follows:
I have QEMU and need to implement the following configuration.
1) isolate the virtual machine from the Internet, the host machine looks into the light accordingly
2) the host machine is connected via VPN to the internal network - this has already been done
3) it is necessary that the virtual machine has access exclusively to a certain subnet
, that is, when I am connected to the VPN I have ip route such as
default via 192.168.0.1 dev enp4s0 proto dhcp metric 100
default via 192.168.0.1 dev wlp0s20f3 proto dhcp metric 600
***
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 link
26.12.2
.22.0/24
172.16.55.0/24
***

and I need the virtual machine to see only 172.16.55.0/24 from the inside and nothing else, even the Internet,
how can this be implemented?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

K

ky0, 2021-09-08
@ky0

Firewall, routing - all access-restriction and connectivity squats are done with these tools.

D

Drno, 2021-09-08
@Drno

This is usually done on the router. Suddenly, using the menu / settings - routes ))
Access to network segments is allowed / denied there.
Well, or a firewall. They can also in the virtual machine itself, make a rule to DROP all packets, except for the desired subnet / ip

M

Maxim Grishin, 2021-09-08
@vesper-bot

On the host machine, write a forward rule that allows connections from 192.168.122.0/24 to 172.16.55.0/24 and 192.168.0.1, and drop the rest. You already have routes, as I understand it, since the host sees everything it needs. If the VM is behind a local NAT, check that the rule for NAT to this machine is in the POSTROUTING branch, if it is iptables, otherwise you will also cut off the Internet for the host.