how to make lan from host to vm only?

[Gibzon]

i want to be able to access my KVMs from the host via a private network for emergencies, so i created a vmbr2 and added a second interface on the VMs with a private ip address.

# for LAN
auto vmbr2
iface vmbr2 inet static
address 172.16.0.1
netmask 255.255.255.0
broadcast 172.16.0.255
bridge_ports dummy0
bridge_stp off
bridge_fd 0

this works and i can access the vm via 172.16.0.x

but if you are inside a vm you can ping, sniff or potentially access other VMs and the host too, i think this is insecure so i need a way that the VMs don't see each other, only the host be able to access via private network.

i think maybe iptables could do this but i don't really know how so any tips would be appreciated

 

[wahmed]

Think vmbr<id> as a switch. Anything you connect to it will see each other as long as they are on same subnet. After you added second interface on all nodes, did you assign private IP based on same subnet like this 192.168.0.1, 192.168.0.2, 192.168.0.3 etc or like this 192.168.1.1, 192.168.2.1, 192.168.3.1. The 2nd set will prevent VMs from seeing each other since they are on different LAN. But..... i am assuming all the first interfaces of all nodes are still connected with vmbr0 on same subnet ? This would be why VMs will still see each other.
I am no expert in iptable. So cannot comment on that. I know there are somebody in this forum who breaths and lives in iptable, who will be able to give better answer.