Filter WAN Traffic with QEMU

You may want to have VM accessing your LAN, but not want them to access outside the LAN. QEmu network filters are able to do this.

First of all, network filters of QEmu does work only with bridges. Direct connections are not supported. If it is your case, please switch to bridge, with for example :

Be careful that it will reset your connection, so if you are connected remotly, you must anticipate that.

You should then update your VMs configuration to use the newly created bridge br0.

Create network filter

You will next need to create a network filter. Create the file no-out-traffic.xml with the following contents :

You may adapt the values to your LAN (Here is the LAN 192.168.1.0/24, plus addresses for broadcast and SSP)

Import it with

You may also directly copy it to /etc/libvirt/nwfilter and restart libvirt-bin service.

Associate with your VMs

There is currently no GUI to edit this property, so you must edit the VM’s XML file. You may edit with virsh or directly in /etc/libvirt/qemu (and restart libvirt-bin)

Then spot the <interface> section, and add the filter in the interface definition

Reboot your VM, and it should now access your LAN ok, but not the WAN.

Please note that the filter is related to the interface definition, so if you reset the interface component or delete/recreate it, the filter will be lost and you should re-associate it.

Other tips

  • With Windows Server 2003, you should use pcnet interface driver ; other may have problem to get DHCP answers

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu