PROD NET: 192.168.1.0/24

VM IP RANGE TO ISOLATE: 192.168.1.221-230

service iptables restart
# last rule, reject all
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.0.0/16 -j REJECT

# accept from test net to dns/dhcp
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst 192.168.1.50/32 -j ACCEPT

# accept from test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# accept from NOT test net to test net
iptables -I FORWARD -m physdev --physdev-is-bridged -m iprange \! --src-range 192.168.1.221-192.168.1.230 --dst-range 192.168.1.221-192.168.1.230 -j ACCEPT

# enable conntracking
iptables -I FORWARD -m physdev --physdev-is-bridged -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

echo "--- ISOLATED CLASSROM FROM PROD NETWORK ... DONE"