## Isolated Shared Network for Docker + Virt-Manager VM

These instructions walk you through setting up an **isolated virtual network** that both Virt-Manager (KVM/QEMU) VMs and Docker containers (like REMnux) can use to communicate securely, with no internet or host LAN access.

### 1. Create an Isolated Linux Bridge on Your Host

#### Install Required Tools

```sh
sudo pacman -Syu bridge-utils net-tools
```

#### Create the Bridge Interface

```sh
sudo ip link add name br0 type bridge
sudo ip addr add 172.20.1.1/24 dev br0
sudo ip link set br0 up
```

- Use a subnet (e.g., `172.20.1.0/24`) that's not used elsewhere.
- **Do not** add a physical (ethernet) interface to this bridge if you want isolation.

#### (Optional) Make Bridge Persistent

- Use a network manager like `netctl` or `systemd-networkd` to recreate `br0` on boot.
- For `netctl`, create a profile in `/etc/netctl/br0` with bridge settings.

### 2. Attach Your Virt-Manager VM to the Bridge

- Open Virt-Manager, select your VM > "Details" > "NIC".
- Set:
  - **Network Source:** "Bridge"
  - **Device name:** `br0`
- Save changes.
- **Ensure the VM’s NIC uses a static IP** in `172.20.1.0/24` (e.g., `172.20.1.10`). Set this in Windows network settings.

### 3. Create a Docker Network on the Bridge

#### Best Practice: Use Macvlan

```sh
docker network create -d macvlan \
  --subnet=172.20.1.0/24 \
  --gateway=172.20.1.1 \
  -o parent=br0 \
  malnet
```

- This attaches Docker containers to `br0`, sharing the same subnet without interfering with host traffic.

### 4. Run REMnux Container on the Shared Network

1. **Pull REMnux image**
   ```sh
   docker pull remnux/remnux-distro:focal
   ```
2. **Start REMnux attached to shared network & static IP**
   ```sh
   docker run --rm -it --network malnet --ip 172.20.1.20 -u remnux -v /home/coma/remnux:/home/remnux/files remnux/remnux-distro:focal bash
   ```

### 5. Set Host Firewall Rules (Arch Linux Example)

#### Suggestion: Use UFW

```sh
sudo pacman -S ufw
sudo systemctl enable --now ufw
sudo ufw default deny incoming
sudo ufw allow from 172.20.1.10 to 172.20.1.20
sudo ufw allow from 172.20.1.20 to 172.20.1.10
```

- This restricts communication to just between VM and container.

### 6. Test Connectivity

- **Ping from VM to REMnux container:**
  ```
  ping 172.20.1.10
  ```
- **Ping from REMnux container to VM:**
  ```
  ping 172.20.1.20
  ```
- Both should work. Neither can reach the internet.

### Summary Table

| Component               | Example IP  | Role/Setting                                  |
| ----------------------- | ----------- | --------------------------------------------- |
| Host Bridge `br0`       | 172.20.1.1  | Host/bridge gateway, isolated                 |
| REMnux Docker Container | 172.20.1.10 | On macvlan/bridge, static IP                  |
| Windows VM              | 172.20.1.20 | Virt-Manager NIC uses bridge `br0`, static IP |

**Tip:** Confirm network setup with `ip a` (host), `docker network inspect malnet` (container net), and VM network settings.

https://docs.remnux.org/tips/remnux-config-tips#gui-cloud-remnux  
 https://wiki.archlinux.org/title/Bridge_interface