Secure Internal Network Setup: Bastion Host, Port Forwarding, Time Sync & User Management

Building the Internal Network

The bastion host requires two NICs—one facing outward and one inward—while internal servers need only one NIC. IPs can be assigned manually or via DHCP. For a single internal machine, a direct Ethernet cable works; for multiple machines, a router with advanced, customizable features is recommended.

Port Forwarding

There are three ways to access internal servers from outside:

The simplest method is to SSH into the bastion host, then SSH into the internal server. This requires accounts on both machines, which may be undesirable if the bastion should remain transparent to users.

Using an SSH tunnel via the bastion can forward external requests to the internal network, though setting up tunnels can be cumbersome.

The most convenient solution is port forwarding: map a port on the bastion (e.g., 1234) to a port on the internal server (e.g., 22). Then connecting with ssh -p 1234 <bastion server IP> actually logs into the internal server. Port forwarding essentially turns the bastion into a router.

Time Calibration

Isolated servers often have inaccurate clocks due to BIOS drift or misconfiguration. Manual setting lacks precision and can drift over time. Using NTP provides accurate synchronization, but internal networks cannot reach public NTP servers. Configure the bastion as an NTP server and have internal machines synchronize to it. Alternatively, set the bastion as a gateway and enable forwarding so internal servers can access external NTP sources, though this may not be desired.

User Management

User management includes bulk creation/deletion, grouping, permission control, disk quotas, and login time restrictions.

Bulk Adding/Deleting Users

The following script reads a file containing usernames and passwords and creates each user. Note that the

useradd

-p

option requires a crypt‑encrypted password, not the plain text password. On CentOS 7, generate the encrypted password with openssl passwd -crypt $password or use mkpasswd.

Limiting User Disk Space

Use the quota command to restrict each user or group’s disk usage. For XFS filesystems, use xfs_quota. Ensure the kernel is newer than 2.4 and mount the filesystem with usrquota and grpquota options in /etc/fstab.

Restricting User Login Times

To allow students to log in only during reserved periods, edit /etc/security/time.conf to define allowed or denied login times, then modify /etc/pam.d/login by adding account required pam_time.so after the auth line. This method limits login by weekday but not by specific dates, which fits weekly reservation schedules.

Killing All Processes of a User

Convenient commands include killall and pkill. For more control, combine ps, grep, and kill to target specific processes.