I have a bastion server running openvpn on port 7777. Each openvpn client has a static ip fixed for him. I'm using iptables to define which routes a client can go.
My server also running ssh on port 22.
my first client is unique client because he has access to everywhere. His fixed ip address is 10.8.0.1. This client also can connect the SSH, using the internal machine ip, to gain ssh control on the machine.
So, I tried this rule set:
#!/bin/sh
# flush all
iptables -F
iptables -X
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#allow ssh
iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
#allow openvpn
iptables -A INPUT -p udp --dport 7777 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp --sport 7777 -m conntrack --ctstate ESTABLISHED -j ACCEPT
# Allow everywhere for client `10.8.0.1`
iptables -A FORWARD --source 10.8.0.1 -j ACCEPT
iptables -A FORWARD --destination 10.8.0.1 -j ACCEPT
The problem I'm facing is that 10.8.0.1 do everything on the network, except doing new SSH connections to the bastion machine. Existing ssh connection remain without problems, even after setup those rules.
Why?
