Security of virtual machines and hosts on linux - practical example and Q :.)

Hi guys,
this is a bit exceeding the linux notebook forum, since it's more general topic (not only linux and notebooks particularly, but, since i know there is couple of seasoned linux geeks here, perhaps someone could 'kick' me, or have a hint ...)

goal: securing virtual machine on linux server

setup: host system CentOS 5.3 with planned virtual (guest) OS again linux CentOS, hw IBM x3650 series server (intel platform)

situation:
- host OS Linux is setup inside LAN behind HW router/firewall and so have false IP (like rest of LAN), masquerading/netfiltering is taken care of on the HW router, so security of this linux machine is not big issue (outside -> inside access)
- host OS is acting like a gateway for windows machines, in order to have control over the net traffic (i could do the same on HW router/firewall, but the tools there are more 'crude'), so i use squid proxy, to control http access, ntop to check LAN traffic etc, also samba for folder sharing, apache for intranet ... simply handy machine :.)

task:
I need to setup IBM Sametime server (something like asterisk, simply communication server for videoconferencing) for communication between company branches
in order to do that i need this server has public IP and as such it is going to be opened to outside world (danger of compromising)

possible solution:
I will not talk about buying proprietary HW just for running this single service (unnecessary costs), so i chosen the road of virtualization ..

what i pland to do:
-add to server new network card and dedicate it just for the virtual machine in bridging mode and install virtual machine (linux) with Sametime server

my big Q:
where would you taken care of security be in my place?

My choice is
-netfilters (iptables) on host machine
-netfilters on guest machine
-combination of both?

Logically, since all traffic goes through the host, i'd be tempted to filter traffic on host, but perhaps, someone here can have different opinion / experience?


Thanks guys for reading, as i said its a bit overstretching the notebook forum, but anyway, i know that ppl reading linux forum are computer fans and like to broaden their horizons, so i shared my thoughts and Q here :.))

 

Here is what I would do:

assign whatever public IP you need as an alias on your firewall.

issue your virtual machine a static, NAT'd ip address from inside your network, and then port forward whatever ports Sametime needs through the firewall'd public IP to the internal IP.

it's easy, secure, and wouldn't involve the purchase of any additional hardware.

 

Hmm, i thought to avoid LAN entirely ...

inet interface (radio) -> manageable switch -> router -> LAN with Linux server
-> virtual machine with public ip

this way i completely avoid LAN and just connect VM NIC to the 'outer world' and secure it with IP tables - either on Virt. box or host system

 

I would think it would be more secure restricting inbound access rather than opening the VM up entirely to the outside world.