I have a Linux machine running KVM with several VM:s, all have public IP:s. For the time being I have everything routed through a bridge (br0) and this works well.
I also need a firewall on the host to restrict access to both the host and the VM:s, I guess we are talking about routing and iptables? I'm not that experienced with iptables/bridging/network stuff and need a point in the right direction.
Any recommendations?
Host: Ubuntu server 11.04, VM: Mixed, Linux and Windows
iptables can be set up to check bridge traffic. I usually disable it to improve performance, but you can do the opposite: /etc/sysctl.conf:
If you set either of these to 1 instead of 0 you'll have the host iptables filtering the traffic for the bridge.
Another solution would be to stop using the bridge, and use libvirts' NAT implementation, which uses iptables as well
EDIT: since both ways are rather faulty IMO, I would run the firewalls in the guests themselves, leaving them on a normal bridged network. or, which would be even more proper, run a separate firewall appliance in front of the virtual infrastructure