<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/28/2016 02:55 AM, Erwin Straver
wrote:<br>
</div>
<blockquote
cite="mid:CAENbBkEcJFN0OoeUzMxy=aM974=n=k+C6Z_KXcDz0D54nC_xmQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<table
style="margin:0px;padding:0px;border:0px;font-size:13px;border-collapse:collapse;color:rgb(36,39,41);font-family:arial,"helvetica
neue",helvetica,sans-serif;line-height:16.9px">
<tbody style="margin:0px;padding:0px;border:0px">
<tr style="margin:0px;padding:0px;border:0px">
<td class="inbox-inbox-postcell"
style="margin:0px;padding:0px;border:0px;vertical-align:top">
<div style="margin:0px;padding:0px;border:0px">
<div class="inbox-inbox-post-text" style="margin:0px
0px
5px;padding:0px;border:0px;font-size:15px;width:660px;word-wrap:break-word;line-height:1.3">
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both"><br
class="inbox-inbox-Apple-interchange-newline">
I want to create a network like this:</p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both"><br>
</p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">Internet
-- physical router -- host (network
192.168.178.x) </p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">
-- virtual
machine dmz -- eth0 (connected to pyshical
router)</p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">
-- eth1 (connect to
isolated network 10.0.0.x)</p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">
-- virtual
machine www - eth0 (connect to isolated network
10.0.0.x)</p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both"><a
moz-do-not-send="true"
href="http://i.stack.imgur.com/QoCz9.png"
rel="nofollow"
style="margin:0px;padding:0px;border:0px;color:rgb(16,120,165);text-decoration:none"><img
moz-do-not-send="true" alt="network design"
style="margin: 0px; padding: 0px; border:
0px; border-image-source: initial;
border-image-slice: initial;
border-image-width: initial;
border-image-outset: initial;
border-image-repeat: initial; max-width:
100%;"
src="http://i.stack.imgur.com/QoCz9.png"></a></p>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">I have a
virtual host which is conntected to my physical
router with eth0 and ip4 address
192.168.178.100. I create a virtual machine dmz
which connects 'direct' to my router via my
physical device eth0 on the virtual host:</p>
<pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;word-wrap:normal;background-color:rgb(239,240,241)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit"><network connections='1'>
<name>direct</name>
<uuid>379d4687-445e-4bc6-8354-b555c7f18b15</uuid>
<forward dev='eth0' mode='bridge'>
<interface dev='eth0' connections='1'/>
</forward>
</network>
</code></pre>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">On my
virtual machine i create a second nic eth1 which
is connected on a virtual network virbr-local:</p>
<pre style="margin-top:0px;margin-bottom:1em;padding:5px;border:0px;font-size:13px;width:auto;max-height:600px;overflow:auto;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;word-wrap:normal;background-color:rgb(239,240,241)"><code style="margin:0px;padding:0px;border:0px;font-family:consolas,menlo,monaco,"lucida console","liberation mono","dejavu sans mono","bitstream vera sans mono","courier new",monospace,sans-serif;white-space:inherit"><network>
<name>local</name>
<uuid>d31b2e0d-810b-4ba0-8ac4-02bc53746142</uuid>
<bridge name='virbr-local' stp='on' delay='0'/>
<mac address='52:54:00:92:06:5c'/>
<domain name='local.box'/>
<dns>
<forwarder addr='192.168.178.1'/>
</dns>
<ip address='10.0.0.1' netmask='255.0.0.0'>
<dhcp>
<range start='10.0.0.100' end='10.0.0.255'/>
<host mac='52:54:00:51:31:86' ip='10.0.0.30'/>
</dhcp>
</ip>
<route address='10.0.0.0' prefix='8' gateway='10.0.0.30'/>
</network>
</code></pre>
<p style="margin:0px 0px
1em;padding:0px;border:0px;clear:both">Now I
want to create a second virtual machine which
connects to the internet through the virtual
machine dmz on the virbr-local subnet. Is there
a way to accomplish this kind of setup?</p>
</div>
</div>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</blockquote>
<br>
A libvirt "isolated" virtual network is intended for situations
where you want communication between guests and the host, but not
beyond. It will have iptables rules automatically loaded that
prevent any traffic on that network from "escaping" to the outside.
That's not what you want though - you want the traffic to get out,
but only via the virtual machine named "dmz".<br>
<br>
The most straightforward way to do this is to:<br>
<br>
1) create a libvirt virtual network with *no IP* address on the host
(so that it's impossible for any traffic from this network to get
out directly via the host)<br>
<br>
then setup your "dmz" guest just as you would a real hardware
firewall:<br>
<br>
2) manually assign an IP address (probably 10.0.0.1) in the "dmz"
guest's network config for eth1<br>
<br>
3) enable ip_forwarding on dmz<br>
<br>
4) enable dnsmasq service on dmz's eth1 (rather than relying on a
dnsmasq on the host) to provide each additional guest on the "local"
network with<br>
a) an IP address<br>
b) a DNS proxy listening on dmz's eth1<br>
c) a default route pointing to 10.0.0.1 (i.e. dmz's eth1)<br>
<br>
The libvirt virtual network definition is as simple as it gets:<br>
<br>
<network><br>
<name>local</name><br>
</network><br>
<br>
</body>
</html>