Thanks for your answers.
I am very beginner with KVM but I figured that thanks to its advanced network configuration capabilities it would be possible to allow only traffic to and from the virbr* interfaces on a debian host system. Maybe it’s much more complicated that it seems.
I intend to run Whonix and other VM’s too. I don’t want to filter out Tor traffic, I let Whonix manage that. I would just some iptables rules that would only allow internet access through the KVM virtual network interfaces. Obviously the real internet interface would have to access the internet, but it would then only be allowed to tunnel its traffic through KVM virtual network interfaces. This way I don’t expose my host to the internet and I reduce the surface attack as well as leaking issues (such as forgetting that I am not on Whonix and opening a link with a regular Firefox browser, etc.).
Basically this is what Qubes achieves with its sys-net/sys-firewall approach but I was wondering if a lighter version could be achieved on a simple debian system with some hardened iptables rules.
I did some tries with iptables but my knowledge is too low to hope achieving something on my own. Couldn’t find anything on the net either.
EDIT: thanks Algernon, I’ll read your link. My setting would need to allow other KVM VM to connect though, not only Whonix VMs.