2

Is there a way that I can segment my virtual machine from my LAN, yet still make it available to outside users? What I'm trying to achieve is a VPS type of thing, but I'm not sure how hosting companies do it.

Background: I'm currently trying to expand my knowledge of UNIX security, and I thought, what better way to do so than give out SSH accounts and see what people can break? The home directories of these users will also have a public_html folder which they can access from the web (http://site/~username). The tricky thing is segmenting this from my LAN. If I use host-only networking, nobody can reach it. If I set it to bridged networking things are fine and dandy, except for the fact that this box can:

  • See my router's admin page
  • See other machines on the network
  • And of course, see the associated Windows shares.

Is there a way to put it in it's own "virtualized VLAN"? I mean, I could make it use one of my physical network adapters, and run that cord into a switch, but I dont feel like spending money on a switch with VLAN capabilities for something temporary. The same idea goes for a firewall to put it in a DMZ, unless of course there is a software way to do this. My current DSL modem has a DMZ function to put one machine in a DMZ, but my web server is already occupying that (and does the modem's DMZ feature really segment the machine, or just make it public facing?)

I will be closely monitoring the system for abuse. cURL and wget have been removed, and I'm using trickle to throttle the bandwidth for the box to 20kb/s.

I'm probably missing the obvious answer here, someone please enlighten me.

RHELAdmin
  • 360
  • 3
  • 10

2 Answers2

1

Do you need to use your virtual infrastructure for this? Sounds like an older/off-lease workstation with <insert_linux_distro_of_choice_here> running iptables will do fine as a Web server to host these sites on; when you're done, you can simple format it with Windows or whatever and use it as a workstation again.

As for your current gear, how many interfaces does your DSL modem/router have? You may be able to setup a separate LAN interface on it, but I'm guessing not if it's just something that came from your ISP; perhaps if you post up the make/model no. we can tell you for sure.

Regardless of webhosting, get a real firewall man: pfSense is great on a dual-NIC workstation and will give you "enterprise" features for nothing (like VPN, IDS, Squid, etc.).

With pfSense, you also can setup VLANs on any interface to give you a true DMZ setup that's isolated from your LAN, but still behind the firewall with whatever packet filtering rules you need (allow TCP 80 inbound, deny all).

gravyface
  • 13,957
  • 19
  • 68
  • 100
0

The routers DMZ function likely makes all ports on the server public facing. You should consider using the DNAT functionality if you have it. You should isolate you virtual server on a separate virtual network. If you are using Linux, you can use IP tables to isolate your server. This can also log all attempts to access ports and/or hosts you don't want people accessing. (i.e. samba, router, etc.). I find Shorewall makes configuring iptables in cases like this quite simple.

BillThor
  • 27,737
  • 3
  • 37
  • 69