← Back to references

REMnux-docker-setup.md

Download Raw

Isolated Shared Network for Docker + Virt-Manager VM

These instructions walk you through setting up an isolated virtual network that both Virt-Manager (KVM/QEMU) VMs and Docker containers (like REMnux) can use to communicate securely, with no internet or host LAN access.

1. Create an Isolated Linux Bridge on Your Host

Install Required Tools

sudo pacman -Syu bridge-utils net-tools

Create the Bridge Interface

sudo ip link add name br0 type bridge
sudo ip addr add 172.20.1.1/24 dev br0
sudo ip link set br0 up
  • Use a subnet (e.g., 172.20.1.0/24) that's not used elsewhere.
  • Do not add a physical (ethernet) interface to this bridge if you want isolation.

(Optional) Make Bridge Persistent

  • Use a network manager like netctl or systemd-networkd to recreate br0 on boot.
  • For netctl, create a profile in /etc/netctl/br0 with bridge settings.

2. Attach Your Virt-Manager VM to the Bridge

  • Open Virt-Manager, select your VM > "Details" > "NIC".
  • Set:
  • Network Source: "Bridge"
  • Device name: br0
  • Save changes.
  • Ensure the VM’s NIC uses a static IP in 172.20.1.0/24 (e.g., 172.20.1.10). Set this in Windows network settings.

3. Create a Docker Network on the Bridge

Best Practice: Use Macvlan

docker network create -d macvlan \
  --subnet=172.20.1.0/24 \
  --gateway=172.20.1.1 \
  -o parent=br0 \
  malnet
  • This attaches Docker containers to br0, sharing the same subnet without interfering with host traffic.

4. Run REMnux Container on the Shared Network

  1. Pull REMnux image sh docker pull remnux/remnux-distro:focal
  2. Start REMnux attached to shared network & static IP sh docker run --rm -it --network malnet --ip 172.20.1.20 -u remnux -v /home/coma/remnux:/home/remnux/files remnux/remnux-distro:focal bash

5. Set Host Firewall Rules (Arch Linux Example)

Suggestion: Use UFW

sudo pacman -S ufw
sudo systemctl enable --now ufw
sudo ufw default deny incoming
sudo ufw allow from 172.20.1.10 to 172.20.1.20
sudo ufw allow from 172.20.1.20 to 172.20.1.10
  • This restricts communication to just between VM and container.

6. Test Connectivity

  • Ping from VM to REMnux container: ping 172.20.1.10
  • Ping from REMnux container to VM: ping 172.20.1.20
  • Both should work. Neither can reach the internet.

Summary Table

Component Example IP Role/Setting
Host Bridge br0 172.20.1.1 Host/bridge gateway, isolated
REMnux Docker Container 172.20.1.10 On macvlan/bridge, static IP
Windows VM 172.20.1.20 Virt-Manager NIC uses bridge br0, static IP

Tip: Confirm network setup with ip a (host), docker network inspect malnet (container net), and VM network settings.

https://docs.remnux.org/tips/remnux-config-tips#gui-cloud-remnux
https://wiki.archlinux.org/title/Bridge_interface