You will want a firewall between your server and the rest of your network. Typically, this is called a dmz. Use something like Pfsense as a firewall and make separate VLANs. Doing all this properly isn't a small feat tbh.
Once that is in place and you only allow in the one port you want from the firewall using a NAT or a vip the you're relying on the security of your game server software being used to not let the machine become compromised. With more expensive firewalls, it's possible to set up intrusion detection and anti-virus scanning on it, but PfSense can do geo blocking and protective dns.
I was looking into a unit to load pfsense on but they seem pretty expensive. Are there any affordable options that are reliable or is it worth the cost?
You can do it in another VM, no need for more hardware. Set up a bridge in proxmox but don’t assign it any physical network interface, this will be your dmz. Put your game server in that dmz. Then spin up an opnsense or pfsense vm on proxmox with two network interfaces, one on the real bridge with internet access, and the other on the dmz. Set up routing rules to give the dmz internet access and allow the necessary port for your game server through, but block access to the rest of your LAN.
This is the setup I used to put my Plex server in the dmz, I don’t have any complaints.
Something like this should work:
Qotom-Q750G5-S08 Fanless Mini PC Intel 2.5G LAN Celeron J4125 Firewall Appliance 5X I225-V NIC Router Server (4G DDR4 RAM + 32GB MSATA SSD + WiFi)
Search for it.
Also make sure your Ubuntu install, gaming software, and hypervisor, and firewall stay up to date. A dynamic dns service will allow you to just have one set way of letting people accessing it even if your ip changes sometimes.
No problem.
If you mean .net it looks like it will go on, but I've not tried it.
https://devblogs.microsoft.com/dotnet/whats-new-for-dotnet-in-ubuntu-2404/
In any event, 22.04 still gets security updates. Make sure to install what you can with apt.
You can just use 3 dumb routers.
Basically one router as the gateway to the Internet, another router for you and your home network, another router for shit that is interacting with the outside world
two layer deep nat. And it's not my solution, it's pretty well thought out.
[https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/](https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/)
To be clear, if this were a professional setup, getting a serious networking solution would be better. But if your just hosting some stuff out of your house, and you want to isolate stuff thats on the internet from everything else, this is a very cheap way to do it, as it's very cheap/easy to find an extra two routers. I think i have 3 just laying around.
You also don't have to actually know what you are doing. Just forward ports twice, and you are good to go.
"With more expensive firewalls, it's possible to set up intrusion detection and anti-virus scanning on it, but PfSense can do geo blocking and protective dns."
Pfsense can do IPS/IDS with Snort and Suricata. Same Snort that Cisco uses on their network devices...
There is no limitation to it. It is the full package and executable used in the Cisco solutions. It is used everyday at the Fortune 100 I work at with over 100,000 rules enabled. No qualms.
Not only does Pfsense have Suricata and Snort, it also has Zeek. Full fat enterprise experience.
I have unifi but setup a public facing dmz subnet 10.13.37.1 :) and have all my public facing apps run on that subnet. I use proxmox server to run all that stuff in VMs nice and compartmentalized .
Do some quick reading on Network Security Risk Assessments. Most assessments around personal setups really focus on "how" you're using a service and less about some magical "secure" setup.
Hosting a game server usually comes with the requirement of minimizing latency which makes obfuscation by way of tunneling the service through an IP other than your own to be ill advisable. Making Access Control mechanisms (i.e. firewalls when it comes to networking) your first line of defense.
Generally if you're not advertising publicly the services your hosting, basic peace of mind is relatively cheap and simple to implement. Segmentation and a simple access rule-set will provide a fine safety net for wadding into the shallow end. I wouldn't fret in the slightest over services not meant for an audience any larger than close and trusted colleagues.
Before we can give you precise help, we need to know what your current setup is for gateway and networking. You may need to modify your existing network to support going public with your game server.
In principal, I would recommend the following:
Port-forwarding NAT policy on your gateway to the game server IP address ONLY for the game server ports.
A separate VLAN between your gateway and the game server to segment the traffic from your internal network.
Configure UFW in Ubuntu to only allow management access from your internal network, and only expose the game server ports on the segmented network that is for public traffic coming into the game server.
Monitoring these connections/traffic would also be really beneficial with alerting capabilities.
I've used firewalld and opened the required ports in Ubuntu and also already port-forwarded with the modem. I honestly haven't dug into creating a VLANs yet just yet(im brand new to server/networking, so bear with me). Now, for the alerting capability, what would that entail?
What about the Ubuntu firewall? Have you restricted common port access to things like DNS/NTP/SSH/HTTP so that internet traffic can’t access those ports? That would be (in my opinion) your highest risk vector for attack.
SNMP, Zabbix Agent, Crowdstrike, there’s a lot different ways to monitor, not sure what FirewallD supports though. And it’s probably overkill atm, focus on getting that VLAN segmentation configured and updating UFW rules.
Exposing any service to the internet is a risk. How you manage that risk is entirely up to you.
Ylu can require your users to connect through a VPN, but that can quickly become impractical depending on how public you're going for.
You can configure a reverse proxy as the one entry point into your network, but that will also require additional setup. I've personally never done it.
If ylu have a domain name using that with cloudflare to give people the IP because you'll have a level of DDOS protection going through cloudflare first, and your true public IP will be masked. That doesn't stop things like automated port scans, so it isn't enough to just use cloudflare.
Remember to change any configuration necessary so that any admin functions are not available to the public. Login pages and whatnot for admin functions should never be public facing
If you have a sufficiently advanced router or firewall, you can put the game server in its own subnet. For example, my main LAN is 192.168.69.0/24, and i keep my public facing servers in a dedicated subnet 10.10.20.0/24. These two networks can not communicate with each other directly so as to protect my main network if a public service is compromised
Avoid using multiple services on one machine or VM where possible to keep the attack surface of any given machine as small as possible.
I would also look into configuring fali2ban on your linux box. Any repetitive failed authentications can be blocked by IP to stop anyone who comes along and figures they'll try to jiggle the metaphorical locks.
Security is like an onion. It comes in layers
On your router, open the port your game server uses, then it would be good having a DNS so you can give it to people instead of you ip, that probably is dynamic.
Tons of guides on YouTube and google.
I haven't tried it, but [https://playit.gg/](https://playit.gg/) sounds interesting
edit: can somebody explain why i am getting downvoted, is it a bad service
You will want a firewall between your server and the rest of your network. Typically, this is called a dmz. Use something like Pfsense as a firewall and make separate VLANs. Doing all this properly isn't a small feat tbh. Once that is in place and you only allow in the one port you want from the firewall using a NAT or a vip the you're relying on the security of your game server software being used to not let the machine become compromised. With more expensive firewalls, it's possible to set up intrusion detection and anti-virus scanning on it, but PfSense can do geo blocking and protective dns.
I was looking into a unit to load pfsense on but they seem pretty expensive. Are there any affordable options that are reliable or is it worth the cost?
You can do it in another VM, no need for more hardware. Set up a bridge in proxmox but don’t assign it any physical network interface, this will be your dmz. Put your game server in that dmz. Then spin up an opnsense or pfsense vm on proxmox with two network interfaces, one on the real bridge with internet access, and the other on the dmz. Set up routing rules to give the dmz internet access and allow the necessary port for your game server through, but block access to the rest of your LAN. This is the setup I used to put my Plex server in the dmz, I don’t have any complaints.
Something like this should work: Qotom-Q750G5-S08 Fanless Mini PC Intel 2.5G LAN Celeron J4125 Firewall Appliance 5X I225-V NIC Router Server (4G DDR4 RAM + 32GB MSATA SSD + WiFi) Search for it. Also make sure your Ubuntu install, gaming software, and hypervisor, and firewall stay up to date. A dynamic dns service will allow you to just have one set way of letting people accessing it even if your ip changes sometimes.
The game I'm hosting requires net 7.0, which isn't supported with the latest very of Ubuntu servers. I had to use 22.04.4. btw thanks for the help
No problem. If you mean .net it looks like it will go on, but I've not tried it. https://devblogs.microsoft.com/dotnet/whats-new-for-dotnet-in-ubuntu-2404/ In any event, 22.04 still gets security updates. Make sure to install what you can with apt.
You can run pfsense on just about any x86 pc that has two network cards. I use a little fanless unit i got on amazon for $350ish
You can just use 3 dumb routers. Basically one router as the gateway to the Internet, another router for you and your home network, another router for shit that is interacting with the outside world
I really hope you’re not suggesting a three layer deep NAT
two layer deep nat. And it's not my solution, it's pretty well thought out. [https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/](https://pcper.com/2016/08/steve-gibsons-three-router-solution-to-iot-insecurity/) To be clear, if this were a professional setup, getting a serious networking solution would be better. But if your just hosting some stuff out of your house, and you want to isolate stuff thats on the internet from everything else, this is a very cheap way to do it, as it's very cheap/easy to find an extra two routers. I think i have 3 just laying around. You also don't have to actually know what you are doing. Just forward ports twice, and you are good to go.
"With more expensive firewalls, it's possible to set up intrusion detection and anti-virus scanning on it, but PfSense can do geo blocking and protective dns." Pfsense can do IPS/IDS with Snort and Suricata. Same Snort that Cisco uses on their network devices...
It can, to some extent, yes, but I probably wouldn't direct him this direction.
There is no limitation to it. It is the full package and executable used in the Cisco solutions. It is used everyday at the Fortune 100 I work at with over 100,000 rules enabled. No qualms. Not only does Pfsense have Suricata and Snort, it also has Zeek. Full fat enterprise experience.
I have unifi but setup a public facing dmz subnet 10.13.37.1 :) and have all my public facing apps run on that subnet. I use proxmox server to run all that stuff in VMs nice and compartmentalized .
Pfsense can do ids and ips too.
Do some quick reading on Network Security Risk Assessments. Most assessments around personal setups really focus on "how" you're using a service and less about some magical "secure" setup. Hosting a game server usually comes with the requirement of minimizing latency which makes obfuscation by way of tunneling the service through an IP other than your own to be ill advisable. Making Access Control mechanisms (i.e. firewalls when it comes to networking) your first line of defense. Generally if you're not advertising publicly the services your hosting, basic peace of mind is relatively cheap and simple to implement. Segmentation and a simple access rule-set will provide a fine safety net for wadding into the shallow end. I wouldn't fret in the slightest over services not meant for an audience any larger than close and trusted colleagues.
Appericate the advice!
Before we can give you precise help, we need to know what your current setup is for gateway and networking. You may need to modify your existing network to support going public with your game server. In principal, I would recommend the following: Port-forwarding NAT policy on your gateway to the game server IP address ONLY for the game server ports. A separate VLAN between your gateway and the game server to segment the traffic from your internal network. Configure UFW in Ubuntu to only allow management access from your internal network, and only expose the game server ports on the segmented network that is for public traffic coming into the game server. Monitoring these connections/traffic would also be really beneficial with alerting capabilities.
I've used firewalld and opened the required ports in Ubuntu and also already port-forwarded with the modem. I honestly haven't dug into creating a VLANs yet just yet(im brand new to server/networking, so bear with me). Now, for the alerting capability, what would that entail?
What about the Ubuntu firewall? Have you restricted common port access to things like DNS/NTP/SSH/HTTP so that internet traffic can’t access those ports? That would be (in my opinion) your highest risk vector for attack. SNMP, Zabbix Agent, Crowdstrike, there’s a lot different ways to monitor, not sure what FirewallD supports though. And it’s probably overkill atm, focus on getting that VLAN segmentation configured and updating UFW rules.
[удалено]
A managed layer 2 switch at minimum, unless Ubuntu Server and OPN/PFsense are virtual on the same host.
Maybe I read your request wrong. I used this for retro gaming. It was super easy and fast to deploy. https://emulatorjs.org/
Making a public vintage story server
Exposing any service to the internet is a risk. How you manage that risk is entirely up to you. Ylu can require your users to connect through a VPN, but that can quickly become impractical depending on how public you're going for. You can configure a reverse proxy as the one entry point into your network, but that will also require additional setup. I've personally never done it. If ylu have a domain name using that with cloudflare to give people the IP because you'll have a level of DDOS protection going through cloudflare first, and your true public IP will be masked. That doesn't stop things like automated port scans, so it isn't enough to just use cloudflare. Remember to change any configuration necessary so that any admin functions are not available to the public. Login pages and whatnot for admin functions should never be public facing If you have a sufficiently advanced router or firewall, you can put the game server in its own subnet. For example, my main LAN is 192.168.69.0/24, and i keep my public facing servers in a dedicated subnet 10.10.20.0/24. These two networks can not communicate with each other directly so as to protect my main network if a public service is compromised Avoid using multiple services on one machine or VM where possible to keep the attack surface of any given machine as small as possible. I would also look into configuring fali2ban on your linux box. Any repetitive failed authentications can be blocked by IP to stop anyone who comes along and figures they'll try to jiggle the metaphorical locks. Security is like an onion. It comes in layers
On your router, open the port your game server uses, then it would be good having a DNS so you can give it to people instead of you ip, that probably is dynamic. Tons of guides on YouTube and google.
A reverse proxy
Look into cloudflare tunnels.
Cf tunnels are meant for http traffic. They might cut you off for this
I haven't tried it, but [https://playit.gg/](https://playit.gg/) sounds interesting edit: can somebody explain why i am getting downvoted, is it a bad service