This project shows how you can create a mini, segmented network—like you’d find in a company—using just one Linux server. It uses “network namespaces,” so you can simulate different devices or subnets (like a main PC, a guest device, and an IoT gadget) without buying more hardware or cloud servers.
I wanted to practice real-world network security and segmentation in a low-cost way, without renting lots of machines. I wanted to know if you could build and test proper firewall rules—just like a network engineer—in a safe, single-server environment.
- Simulate 3 “zones”: primary, guest, iot.
- Let primary talk to everyone, guest talk to iot, and block iot from talking to anyone else.
- Make it as close as possible to a real network, so I could test, troubleshoot, and truly understand segmentation.
| Source | Destination | Allowed? | Method | Comment |
|---|---|---|---|---|
| Primary | Guest | YES | Direct veth | Full access |
| Primary | IoT | YES | Direct veth | Full access |
| Guest | IoT | YES | Bridge (br-vlan) | Allowed, initiates to IoT |
| IoT | Guest | NO | Bridge (br-vlan) | Blocked by iptables |
| Guest | Primary | NO | - | Network unreachable |
| IoT | Primary | NO | - | Network unreachable |
- Linux network namespaces: To make each “zone” feel like its own device.
- Bridges and veth pairs: To connect the namespaces as you’d connect real hardware.
- UFW and iptables: To make firewall rules and control who can talk to whom.
- Ping, netcat, arping: To test if traffic is really allowed or blocked.
- Bash scripts: To automate setup and cleanup.
# 1. Create network namespaces
ip netns add guestns
ip netns add iotns
# 2. Create veth pairs
ip link add veth-guest type veth peer name veth-guest-br
ip link add veth-iot type veth peer name veth-iot-br
# 3. Create and bring up a bridge
ip link add name br-vlan type bridge
ip link set br-vlan up
# 4. Attach veths to the bridge and namespaces
ip link set veth-guest-br master br-vlan
ip link set veth-guest-br up
ip link set veth-guest netns guestns
ip netns exec guestns ip link set veth-guest up
ip link set veth-iot-br master br-vlan
ip link set veth-iot-br up
ip link set veth-iot netns iotns
ip netns exec iotns ip link set veth-iot up
# 5. Set IP addresses
ip netns exec guestns ip addr add 10.10.10.2/24 dev veth-guest
ip netns exec iotns ip addr add 10.10.10.3/24 dev veth-iot
# 6. Set up iptables (one-way trust in guestns)
ip netns exec guestns iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip netns exec guestns iptables -A INPUT -s 10.10.10.3 -j DROP- At first, all my “devices” could still talk freely—the firewall wasn’t working as I expected on a single server.
- Local Linux interfaces sometimes bypass normal firewall rules—I had to learn about “forwarded” and “local” traffic.
- Routing and ARP confusion: If you don’t clean up or reset IP addresses/veths, things just don’t work.
- Used network namespaces to simulate true physical separation.
- Made a Linux bridge to join guest and IoT as if on the same switch, but used iptables for one-way trust.
- Cleaned and re-set each setup step (reset IPs, flush routes), and tested layer by layer (ARP, ping, then firewall).
- Used stateful iptables rules (
ESTABLISHED,RELATED) so replies to allowed requests worked—but new connections from blocked zones didn’t.
- You can create realistic, secure, segmented networks using just one VPS and free Linux features.
- Firewall testing is tricky if you don’t understand how Linux routes internal vs. external traffic.
- Documenting every step and testing with simple tools (ping/arping/netcat) makes troubleshooting manageable.
- Network security is as much about testing and verification as it is about writing the rules!
(Guest can talk to IoT — allowed)
(IoT cannot talk to Guest — denied, as per firewall rules)
(Firewall setup in guest namespace)
(Host/Primary can reach both Guest and IoT)
- How to Run or Test (Quick Start)
Clone the repo and run the setup script:
git clone https://github.com/100dollarguy/vps-network-segmentation-demo.gitFor setup, use:
./setup/network_setup.shFor cleanup, use:
./teardown/network_cleanup.shOr, to test manually, use these commands one by one:
- Test: Primary (host) to Guest (direct veth)
ping -c 3 10.10.2.2 # Should SUCCEED- Test: Primary (host) to IoT (direct veth)
ping -c 3 10.10.3.2 # Should SUCCEED- Test: Guest to IoT (over the bridge)
sudo ip netns exec guestns ping -c 3 10.10.10.3 # Should
SUCCEED- Test: IoT to Guest (over the bridge)
sudo ip netns exec iotns ping -c 3 10.10.10.2 # Should FAIL (blocked by firewall)- Test: Guest to Primary (Should NOT be allowed if segmentation enforced)
sudo ip netns exec guestns ping -c 3 10.10.1.2 # Should FAIL (network unreachable or timeout)- Test: IoT to Primary (Should NOT be allowed if segmentation enforced)
sudo ip netns exec iotns ping -c 3 10.10.1.2 # Should FAIL (network unreachable or timeout)- Show firewall rules in guest namespace (for troubleshooting)
sudo ip netns exec guestns iptables -L INPUT -v -n
This project is licensed under the MIT License. You're free to use, modify, and share it — personally or commercially.
Feel free to fork it, improve it for your own setup, or share with others!