Want to configure a VM (or any PC) on my network to have internet access only

[hoorah]

I have an older desktop I'm currently using as a game server, and I'm planning on moving the game server to be in a VM enviornment. When I do this, I offered to host a game for a friend of mine, either on the same VM, or a different one, not sure yet. I'd like to offer my friend remote access to the VM, but I do not want the VM to be able to see anything else on the network - no shared folders, no shared printers, and no local websites (router/nas/printer config pages).

I've done a bunch of research, but all I can find are resources for people that want to accomplish a similar task but with guest laptops and wifi (setting up a wifi guest network), or people that are having trouble establishing connection between the host and the VM.

First - is this a safe-ish thing to do? I mean, as safe as any access given to a friend is? Lets say worst case scenario he installs a virus on the VM, the virus would not be able to spread outside the VM?

If this is way too risky, I may offer to setup his game server on the VM and setup an FTP server to the files such that he can edit the config, upload mods/plugins, etc, but not have access to the actual VM desktop.

 

[lif_andi]

Depending on the OS you could just turn off network discovery and use firewall rules to block that server from the rest of your network...

(Like in Win Vista and above you can just make your network location "Public" and you are effectively blocked from the local network you're on).

How safe this is I am not going to speculate on, but if its only this friend of yours you're giving access (as in only allowing his IP address access) then you should be ok. Having it open towards the internet or worse having your router letting through traffic is just a bad idea imo. Although I'm sure there are ways to do this securely (such as having 2 routers (or 1 and a network firewall) on each side of the game server, kinda creating a DMZ (which you should google).

 

[Savatar]

It is theoretically possible for malware to spread outside of a VM, as there are ways to detect if a process is running on a VM and there have been exploits to break outside to the host operating system (for certain VMs) in the past... however, the level of effort and expertise required to do this is exceptionally high, and those kind of exploits have been being patched as they get found out. For the most part, then, it's nothing to worry about - but you should know it is theoretically possible.

The scenario you described is generally considered secure, though, so you should be OK. You'll just want to enable port forwarding for just the ports that are required for the game to operate.

If you are really paranoid, maybe consider looking into third-party hosting providers - those are pretty popular for hosting game servers. While they cost money, they usually have an ISP which has a larger upload cap than most users can get on their home connections. For example, 1 Mbps-5 Mbps is pretty typical for a mainstream broadband upload cap, because home users usually don't use upload bandwidth as much as downloading, but that's what is important for servers. If you look you can find hosting providers with 10+ Mbps upload speeds (look for a site that allows at least 10 Mbps unmetered). You can test your upload speeds from sites like http://www.speedtest.net/, it runs a separate test for download and upload. Thankfully, most games are pretty efficient, only tracking and sending the player position and actions over UDP instead of anything that's very large... so it should be OK either way.

Because of the costs associated with third-party hosting, though, I can understand if that's too much. I encourage you to at least run the VM locally to try it out, though - you'll almost always learn things when you do things like that, it's fun and helpful for your friend!

 

[hoorah]

The scenario you described is generally considered secure, though, so you should be OK. You'll just want to enable port forwarding for just the ports that are required for the game to operate.

Thanks, this is what I was looking for. I'm still trying to find the setting that will keep the VM from seeing anything shared on the network, like a guesst wifi, only for LAN instead of wifi. Other than that though, I'm comfortable with that level of security.

If you are really paranoid, maybe consider looking into third-party hosting providers - those are pretty popular for hosting game servers.

Because of the costs associated with third-party hosting, though, I can understand if that's too much. I encourage you to at least run the VM locally to try it out, though - you'll almost always learn things when you do things like that, it's fun and helpful for your friend!

Well, I already host 2 of my own game servers on the host OS right now. My friend wants to host a game, but (as usual) doesn't want to pay a host, and I'm not giving him access to the host OS of my server to install a game. Thus, I had considered moving everything to a VM. I don't care if he has access to my game servers, just my files.

I can sustain 4.5-5mbps of outbound traffic on my connection. A full ZPS server (similar to TF2 in bandwidth) will use around 1-1.5mbps outbound (22 people). I imagine his bandwidth needs will be low (if they're not, he will have to get his own host then).

 

[Savatar]

...I'm still trying to find the setting that will keep the VM from seeing anything shared on the network, like a guesst wifi, only for LAN instead of wifi.

Ah, I see. I think because the VM will need to be reachable externally, you'll have to use bridged networking - which means it'll essentially share the network card that the host has. Unless you have quite the network setup where you can put the VM host on its own DMZ, you might be able to do something crazy like create static route rules on the new VM for the internal network range so that it routes to the public internet. In this way, that system will still be able to access the internet, but won't be able to route to any of the internal systems (like 192.168.1.100 would just get lost, for example) - just be careful that you don't do that route rule for the whole subnet (or whatever the default gateway is).

For example, if your router is 192.168.1.1 and the other systems on the network are 192.168.1.100-105... set a route rule so that every other system on the network routes to something past your default gateway/router. In windows, from the command line (as an example, use with caution once you figure out exactly what you need):

route add 192.168.1.100 MASK 255.255.255.255 66.109.6.143 METRIC 2 IF # (where # is the interface for the NIC, found with 'route print' at the top).

The 66.109.6.143 IP will be whatever is the next hop AFTER your router - that way any 192.168.1.100 requests won't be able to get back in to the private network.

lif_andi's suggestion of using a firewall may be doable too, but you'd probably want to set it on the VM itself so that it doesn't allow any outbound data to your other hosts (the equivalent of not being able to reach them with the routing steps above) - as opposed to denying inbound traffic from that host on every other server on your network. (Again, a DMZ would be easier but probably requires additional equipment).

...if you happen to find an easier (or less messy) way to do this, let me know!

 

[duncan-idaho]

You could accomplish that kind of separation a couple of different ways. Probably the simplest but most expensive would be to get a router (http://www.cisco.com/en/US/products/ps11025/index.html) that supports multiple SSIDs/VLANs, which lets you specify that whatever is connected to, say, ethernet port 1 on the router can't talk to the rest of the ports.

You could also accomplish this by setting up two VMs and configuring one as a router - for example, ClearoS (Or any other linux flavour you like, but clearos is preconfigured for it) or the Microsoft (RRAS)Routing and Remote Access Server role, then using firewall rules to prevent communication except on the ports you specify for the second VM. This would also allow you to give your friend root access to that second VM (the game server) without giving him access to the infrastructure, ie the routing VM or your physical network. If you are comfortable with networking VMs, this is probably the cheaper method. I've done it personally with MS RRAS, worked nicely.

 

[Red Squirrel]

What I would do is have another VM acting as a firewall, and put this VM behind it. have the firewall restrict traffic to only going out to the internet. The firewall would have two nics.

so basically something like this:

Internet -> existing router -> new VM firewall -> shared VM

Configure the new VM firewall so that it blocks all traffic destined for the local IP ranges, and have it setup so it routes to the internet. You'd also forward whatever ports you need to that firewall which would then forward to that VM.

 

[hoorah]

You could accomplish that kind of separation a couple of different ways. Probably the simplest but most expensive would be to get a router (http://www.cisco.com/en/US/products/ps11025/index.html) that supports multiple SSIDs/VLANs, which lets you specify that whatever is connected to, say, ethernet port 1 on the router can't talk to the rest of the ports.

You could also accomplish this by setting up two VMs and configuring one as a router - for example, ClearoS (Or any other linux flavour you like, but clearos is preconfigured for it) or the Microsoft (RRAS)Routing and Remote Access Server role, then using firewall rules to prevent communication except on the ports you specify for the second VM. This would also allow you to give your friend root access to that second VM (the game server) without giving him access to the infrastructure, ie the routing VM or your physical network. If you are comfortable with networking VMs, this is probably the cheaper method. I've done it personally with MS RRAS, worked nicely.

Thanks! I have a cisco E3000 with Tomato flashed to it. When deciding between tomato and DDWRT, I do recall some information about VLANs. Not sure if the E3000 is capable of it though, will have to check.

Interesting trick on the second method. I'm not familiar with networking VMs but I'm willing to give it a shot. Thanks!

 

[holden j caufield]

vlan, maybe passthrough it's own dedicated nic to the vm.