Recently, I wanted to install a legacy OS in a virtual machine with QEMU.

However, for several reasons, I did not want it to be able to access the Internet but still be able to access some services on my host.

I had already done something similar in the past with a tap interface, but it was not very convenient, as you need to bring your own DHCP server or use manual configuration.

So, by reading the fine manual, I found an option I had not heard about before: restricted=yes on the user network mode.

It makes QEMU create a virtual network, with the usual DHCP server and connection to the host, but without Internet access.

In addition, it is possible to specify various guestfwd options.

Sadly, the forward mode opens only one connection when the machine boots. Therefore, if you want to forward every new connection, you will have to go through netcat or a similar program. For example, I used this option to redirect connections to 10.0.2.100 to an HTTP server I created with Python:

-nic 'user,model=virtio-net-pci,restrict=yes,guestfwd=tcp:10.0.2.100:80-cmd:netcat 127.0.0.1 8000'

And that was enough for me to pass a few files without using Samba or swapping isos.