Join Log in
Score:0
avatar Server

OpenVPN + iptables - define valid routes

bq flag
No1Lives4Ever

I have a bastion servers which accept users via OpenVPN. The bastion has two network adapters: one leg on the internet and the other leg on a private network. Each user has different IP address and different places where he can visit inside the private network.

For example: the user John has the static IP 10.8.0.1, on OpenVPN. John can only access this IP address 10.8.1.1, inside the internal network. Any other place that John will try to access should be blocked.

I tried to do something like this:

iptables -A FORWARD -p tcp --source 10.8.0.1 --destination 10.8.1.1 -j ACCEPT

The default policy for INPUT,OUTPUT and FORWARD is block.

I was expected that will allow John access his resource. But actually all his requests are being blocked.

What I'm doing wrong?

Update 1

Adding the full code:

#!/bin/sh
# flush all
iptables -F
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

iptables -A FORWARD -p tcp --source 10.8.0.1 --destination 10.8.1.1 -j ACCEPT

# make sure nothing comes or goes out of this box
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
48
0 + 0
Michael Hampton avatar
cz flag
Michael Hampton
The rest of it seems reasonable. But why do you allow the traffic in only one direction?
2
Reply
in flag
NiKiZe
when you want to understand traffic flow, tcpdump or similar is a great tool, run it on one interface, and then on the other and try to understand the flow of traffic and where it "is last seen" And to debug iptables, creating rules for specific parts, and then check with for example  `iptables -vnL` to see the counters and if the rule gets hit has helped me several times.
0
Reply
bq flag
No1Lives4Ever
I've logged the traffic and saw that the opposite direction is my problem (10.8.1.1 -> 10.8.0.1). How to solve it? It should be the same FORWARD command when the `source` and the `destination` is the opposite?
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.