Restrict access from specific IP address

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
ivancd
OpenVpn Newbie
Posts: 5
Joined: Wed Jul 09, 2014 12:52 pm

Restrict access from specific IP address

Post by ivancd » Mon Apr 18, 2016 8:55 am

Hi all,
I'm trying to restrict access to have and establish connection just from their offices. Example, we have 2 officess with x.x.x.x and y.y.y.y so i would like just from those two ip to have access and can established a connection to our VPN.

Any hints on it ?

Kind regards
Ivan

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Restrict access from specific IP address

Post by Traffic » Mon Apr 18, 2016 11:46 am

Manage access with your firewall ..

ivancd
OpenVpn Newbie
Posts: 5
Joined: Wed Jul 09, 2014 12:52 pm

Re: Restrict access from specific IP address

Post by ivancd » Mon Apr 18, 2016 2:52 pm

I try that, i have put in the INPUT chain rules. For example for one office i have put the following rulles:
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 943 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j REJECT

So than i can't connect to the VPN and i can't see the browser using the x.x.x.x ip address. I don't know way.
Any hints or solutions about Firewall ? Or i should manage via GUI of the OpenVPN.

Also i try to delete all the rules in iptables and add the above rules, and it works for establish a connection ( on port 443 ), but i can't establish on 1194 or can't open a web access. And when i restart the openvpn service it add the rules and than everything is open again.

Here is what i have in iptables currently:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_ACCEPT  all  --  anywhere             anywhere            
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_ACCEPT  udp  --  anywhere             z.z.z.z    state NEW udp dpt:openvpn
AS0_ACCEPT  tcp  --  anywhere             z.z.z.z    state NEW tcp dpt:https
AS0_WEBACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_WEBACCEPT  tcp  --  anywhere             z.z.z.z    state NEW tcp dpt:943

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
AS0_ACCEPT  all  --  anywhere             anywhere             state RELATED,ESTABLISHED
AS0_IN_PRE  all  --  anywhere             anywhere             mark match 0x2000000/0x2000000
AS0_OUT_S2C  all  --  anywhere             anywhere            
ACCEPT     all  --  192.168.1.4          anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
AS0_OUT_LOCAL  all  --  anywhere             anywhere            

Chain AS0_ACCEPT (5 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN (3 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             DenLuGW             
AS0_IN_POST  all  --  anywhere             anywhere            

Chain AS0_IN_NAT (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x8000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN_POST (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             192.168.1.0/24      
ACCEPT     all  --  anywhere             172.17.0.0/16       
AS0_OUT    all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain AS0_IN_PRE (2 references)
target     prot opt source               destination         
AS0_IN     all  --  anywhere             192.168.0.0/16      
AS0_IN     all  --  anywhere             172.16.0.0/12       
AS0_IN     all  --  anywhere             10.0.0.0/8          
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_IN_ROUTE (0 references)
target     prot opt source               destination         
MARK       all  --  anywhere             anywhere             MARK or 0x4000000
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT (2 references)
target     prot opt source               destination         
AS0_OUT_POST  all  --  anywhere             anywhere            

Chain AS0_OUT_LOCAL (1 references)
target     prot opt source               destination         
DROP       icmp --  anywhere             anywhere             icmp redirect
ACCEPT     all  --  anywhere             anywhere            

Chain AS0_OUT_POST (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain AS0_OUT_S2C (1 references)
target     prot opt source               destination         
AS0_OUT    all  --  anywhere             anywhere            

Chain AS0_WEBACCEPT (2 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD_IN_ZONES (0 references)
target     prot opt source               destination         
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 
FWDI_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_IN_ZONES_SOURCE (0 references)
target     prot opt source               destination         

Chain FORWARD_OUT_ZONES (0 references)
target     prot opt source               destination         
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 
FWDO_public  all  --  anywhere             anywhere            [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (0 references)
target     prot opt source               destination         

Chain FORWARD_direct (0 references)
target     prot opt source               destination         

Chain FWDI_public (4 references)
target     prot opt source               destination         
FWDI_public_log  all  --  anywhere             anywhere            
FWDI_public_deny  all  --  anywhere             anywhere            
FWDI_public_allow  all  --  anywhere             anywhere            

Chain FWDI_public_allow (1 references)
target     prot opt source               destination         

Chain FWDI_public_deny (1 references)
target     prot opt source               destination         

Chain FWDI_public_log (1 references)
target     prot opt source               destination         

Chain FWDO_public (4 references)
target     prot opt source               destination         
FWDO_public_log  all  --  anywhere             anywhere            
FWDO_public_deny  all  --  anywhere             anywhere            
FWDO_public_allow  all  --  anywhere             anywhere            

Chain FWDO_public_allow (1 references)
target     prot opt source               destination         

Chain FWDO_public_deny (1 references)
target     prot opt source               destination         

Chain FWDO_public_log (1 references)
target     prot opt source               destination         

Chain INPUT_ZONES (0 references)
target     prot opt source               destination         
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 
IN_public  all  --  anywhere             anywhere            [goto] 

Chain INPUT_ZONES_SOURCE (0 references)
target     prot opt source               destination         

Chain INPUT_direct (0 references)
target     prot opt source               destination         

Chain IN_public (4 references)
target     prot opt source               destination         
IN_public_log  all  --  anywhere             anywhere            
IN_public_deny  all  --  anywhere             anywhere            
IN_public_allow  all  --  anywhere             anywhere            

Chain IN_public_allow (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh ctstate NEW

Chain IN_public_deny (1 references)
target     prot opt source               destination         

Chain IN_public_log (1 references)
target     prot opt source               destination         

Chain OUTPUT_direct (0 references)
target     prot opt source               destination         


Post Reply