I have my KVM guests on a standard br0 bridge setup:
auto br0
iface br0 inet static
address 192.168.1.117
netmask 255.255.255.0
network 192.168.1.1
broadcast 192.168.1.225
gateway 192.168.1.1
bridge_ports eth0
bridge_stp off
bridge_fd 0
auto eth1
iface eth1 inet static
address 10.0.0.117
netmask 255.255.255.0
gateway 10.0.0.1
broadcast 10.0.0.225
eth1 is reserved for other traffic but a guest could simply change it's ip to connect to it.
What I am trying to achieve is dropping all traffic towards the host / outside / other guest as soon as a guest attempts to change either it's ip address or mac address (in an attempt to join the other network / spoof another guest)
I tried many interfaces (eth0, br0, tap0, tap+) but I cannot seem to get my rule right:
iptables -A INPUT -m physdev --physdev-in tap+ --physdev-out tap+ -s 192.168.1.205 -m mac ! --mac-source 52:54:5a:8d:77:8e -j DROP
IP forwarding is enabled- there are no other rules in iptables. Am I missing something- or even should I consider try to achieve this another way?