How to safely host proofing site without exposing the host

How to safely host proofing site without exposing the host

I am setting up a network. In this network, we have:
1) 4 Development machines (3 Windows, 1 Mac)
2) 1 Server (Ubuntu)
3) 1 Router (WRT54GL with Tomato)
4) 1 Cable Modem
As this is for web development, we have several stages in our production
cycle. We are using Git for version control, and XAMPP on each machine to
host the website. Each machine host its own full copy of the website, but
all machines share the same database since Git does not handle versioning
for that. We use Git hooks to backup the database on Pulls/Pushes and Cron
Jobs run to back it up as well.
Therefore, a typical workflow would be as such:
1) Each developer works on the site on their own local copy from the Git bare
repo
2) Each developer pulls, then commits and pushes their changes to the bare
repo
3) After this, we go to a staging environment where we ensure everything is
going to work on a totally different setup than the development machines
This environment is still using the same database as for development.
4) From there, we would upload the changes to the FTP.
The question is, I need a way to host the site on our local machine in a
step AFTER the staging environment but BEFORE going to their remote server
(a stage called proofing) so that clients can view the site, suggest
modifications, etc. I want to know how to do this as securely as possible.
I have most of this setup. We are using a WRT54GL router, which connects
to afraid.org free DNS, and we will update the dynamic IP using the query
string supplied by afraid.org in the firmware settings of Tomato. The site
will not be live all the time. The server gets shut down at night and does
not come on until morning. It is off on weekends. Once the site is out of
proofing, it will be taken off from being hosted on our local server and
be pushed to FTP, on to be live on a remote web server. Proofing uses a
different database for security / integrity reasons.
I cannot get a new machine to host this. It must be done on the same
machine that we do staging on and have the Git repo stored on. This
machine has AFP, FTP and SAMBA shares, VNC and SSH. Data is backed up
remotely, on external drives, and another server.
Is there any way I can put the 'proofing stage' on a Virtual Machine,
allowing web access there, etc while limiting requests to the host
(remember, it is running XAMPP, too)? Can I force external / non-LAN
requests to port 80 to be pushed to the VM and ignored by the host? How
can I protect our local sites for development, while allowing remote
access to the sites in the proofing stage?
Ideally, I would be able to have an entirely separate machine isolated
from the rest of the LAN to do this, but in this case it is not possible.
I know how to setup virtual hosts, virtual machines, etc and will be
installing some security software to protect mission critical files from
being had through the internet.
I have a picture of the theoretical setup, but cannot post it due to
reputation.