KVM/libvirt - all traffic from eth0 to virtual guest
 

Hi there all.

I am battered trying to get this going. I am trying to set up a firewall distro on a kvm guest, up to here it is all good and no problems.

I would like to have all traffic from eth0 pass through the guest running a firewall, but at the same time prevent the host being accessable without traffic first passing over the firewall guest.

/ other guests and vm host
eth0 <-> guest funning firewall <->
\ eth1

The simplest solution is to use vt-d but unfortunately the MOBO only has a beta BIOS firmware to enable vt-d, not ideal for an eventual production environment.

What would you guys recommend?

Just a quick update to see if anyone can advise on my though process.

Currently thinking best way to go is to set up a bridge using eth0 and then somehow create ebtables rule sets to drop all packets destined for the host virtual machine and pass everything onto the firewalling guest vm.

Please critique.

a bridge is the only way to do this right, and yes, you'll need to use ebtables to configure the fine details

Thanks for the pointers in the right direction. Got it working.

After spending hours trying to configure different things, I found this article. Great for this type of setup for others like me not that proficient with the virtualization and virtualized networking aspects as of yet.

http://glycogen.net/2012/03/19/setup...fsense-router/

In the article, the author states that you have to disable SELinux, DO NOT DO THIS. I believe he had problems running iso images as install sources. Just relable the files to have the correct SELinux context
or
(if you only want to relable a single file)

Please note that it is for setting up a very basic iptables ruleset on the host VM, but it will get the traffic passed properly. Make sure to revise the rules for production systems.

Now, I can endulge in learning how to use pfsense(network and guest vm guests) as well as shorewall(vm host firewall).