🎉 initial codebase

.editorconfig

@@ -0,0 +1,8 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 4
+end_of_line = lf
+charset = utf-8
+insert_final_newline = true

README.md

@@ -0,0 +1,17 @@
+# libvirt Firewall
+Prevent KVM/qemu VMs from accessing the local network
+
+
+
+## Setup Instructions
+Clone git repository:
+```console
+# cd /opt
+# git clone https://git.tjdev.de/DrMaxNix/libvirt-firewall.git
+# cd libvirt-firewall
+```
+
+Install as libvirt daemon hook:
+```console
+# ln -s /opt/libvirt-firewall/libvirt-firewall /etc/libvirt/hooks/daemon.d/libvirt-firewall
+```

libvirt-firewall

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+if [[ "$2" == "start" ]]; then
+	## CONFIG ##
+	# libvirt network interface
+	libvirt_iface="virbr0"
+	
+	# list of forbidden subnets
+	declare -a forbidden_subnet_list=("0.0.0.0/8" "10.0.0.0/8" "100.64.0.0/10" "127.0.0.0/8" "169.254.0.0/16" "172.16.0.0/12" "192.0.0.0/24" "192.0.2.0/24" "192.88.99.0/24" "192.168.0.0/16" "198.18.0.0/15" "198.51.100.0/24" "203.0.113.0/24" "233.252.0.0/24" "255.255.255.255/32")
+	
+	
+	## MAKE SURE FIREWALL TABLE IS ON TOP ##
+	# create firewall table
+	iptables -N LIBVIRT_FIREWALL
+	
+	# delete old references
+	iptables -D INPUT -i ${libvirt_iface} -j LIBVIRT_FIREWALL
+	iptables -D FORWARD -i ${libvirt_iface} -j LIBVIRT_FIREWALL
+	
+	# inject new references at top
+	iptables -I INPUT 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
+	iptables -I FORWARD 1 -i ${libvirt_iface} -j LIBVIRT_FIREWALL
+	
+	
+	## APPLY CONFIG ##
+	# clear old rules
+	iptables -F LIBVIRT_FIREWALL
+	
+	# add new rules
+	for forbidden_subnet in "${forbidden_subnet_list[@]}"; do
+		iptables -A LIBVIRT_FIREWALL -d ${forbidden_subnet} -j REJECT --reject-with icmp-host-unreachable
+	done
+	
+	# rule for all other traffic
+	iptables -A LIBVIRT_FIREWALL -j RETURN
+fi