Before a record notes note about the way iptables rules negated to put before a match instead of parameters
# Following rules to allow all non-172.20.0.64/26 address by visiting the
# correct
-A KVM -s! 172.20 . 0.64 / 26 - J ACCEPT # wrong
! -A -s KVM 172.20 . 0.64 / 26 -j ACCEPT
My virtual machine network address of the NAT 172.20.0.64/26 card is virbr1
Let the virtual machine configuration policy to allow access to the host but prohibit access between various virtual machines
Using iptables firewall operating system kali (based on debian)
Because the inter-virtual machine communication taking virbr1 card and traffic do not go native
All external network traffic
So we have to operate FORWARD chain
It recommended not to throw all the rules directly inside too messy FORWARD
# Set FORWARD chain policy for discarding INPUT and FORWARD general policy should be set to DROP easy to write a regular
-P FORWARD DROP
# user-defined chain
-N KVM
In addition two inside FORWARD
-A FORWARD -i virbr1 -j KVM
-A FORWARD -o virbr1 -j KVM
These two rules all traffic will go virbr1 card will go again KVM chain
# This allows access to two host -A the KVM -s 172.20 . 0.65 - J ACCEPT -A the KVM -d 172.20 . 0.65 - J ACCEPT # This allows two broadcast -A the KVM -s 172.20 . 0.255 - J ACCEPT -A the KVM -d 172.20 . 0.255 - J ACCEPT # the two inter-virtual machine communication ban must be placed above or else that the last two did not use the -A KVM -s! 172.20 . 0.64 / 26 - J ACCEPT -A KVM! - d 172.20 . 0.64 / 26 -j ACCEPT
# or write (to tell the truth I do not like such an approach though, and the above wording no difference about the psychological effect of it)
-A KVM -s 172.20.0.64/26 -d 172.20.0.64/26 -j DROP
-A KVM -j ACCEPT
Docker container block access configuration between each other and this is also the same
Erika 20190722