I have an Ubuntu 12.04 server running few virtual machines with KVM.

I would like to expose some of these virtual machines on the internet, to make it possible for customers to test the products we're developing and make available other products for demo purposes.

One of the server NICs is configured with a public IP. However before exposing anything on the web I would like to be sure that if one of the virtual machines get compromised, the attacker doesn't reach the rest of the hosts.

What I would like to do is to put these virtual machines into a DMZ.

These are the steps I'm planning to do:

1. Create a tap interface in the virtualization host (let's say tap1)
2. Create a bridge using tap1 and give it an IP in a subnet separate from the other hosts. Let's say 10.0.0.1
3. Attach the DMZ virtual machines to the bridge and configure their IP statically (10.0.0.2, 10.0.0.3, etc...)
4. Using UFW, forbid any traffic from 10.0.0.0/24 to any of the internal hosts, allow the traffic from the internal hosts towards 10.0.0.0/24 and expose the virtual machines on the web using port forwarding.

Do you think this setup is safe? Can you suggest any improvement or a better/safer approach?

Thanks in advance!