Hi all,
I'm trying to restrict access to have and establish connection just from their offices. Example, we have 2 officess with x.x.x.x and y.y.y.y so i would like just from those two ip to have access and can established a connection to our VPN.
Any hints on it ?
Kind regards
Ivan
Restrict access from specific IP address
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jul 09, 2014 12:52 pm
- Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Re: Restrict access from specific IP address
Manage access with your firewall ..
-
- OpenVpn Newbie
- Posts: 5
- Joined: Wed Jul 09, 2014 12:52 pm
Re: Restrict access from specific IP address
I try that, i have put in the INPUT chain rules. For example for one office i have put the following rulles:
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 943 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
So than i can't connect to the VPN and i can't see the browser using the x.x.x.x ip address. I don't know way.
Any hints or solutions about Firewall ? Or i should manage via GUI of the OpenVPN.
Also i try to delete all the rules in iptables and add the above rules, and it works for establish a connection ( on port 443 ), but i can't establish on 1194 or can't open a web access. And when i restart the openvpn service it add the rules and than everything is open again.
Here is what i have in iptables currently:
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 943 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
iptables -I INPUT ! -s x.x.x.x -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j REJECT
So than i can't connect to the VPN and i can't see the browser using the x.x.x.x ip address. I don't know way.
Any hints or solutions about Firewall ? Or i should manage via GUI of the OpenVPN.
Also i try to delete all the rules in iptables and add the above rules, and it works for establish a connection ( on port 443 ), but i can't establish on 1194 or can't open a web access. And when i restart the openvpn service it add the rules and than everything is open again.
Here is what i have in iptables currently:
Code: Select all
Chain INPUT (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_ACCEPT all -- anywhere anywhere
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_ACCEPT udp -- anywhere z.z.z.z state NEW udp dpt:openvpn
AS0_ACCEPT tcp -- anywhere z.z.z.z state NEW tcp dpt:https
AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_WEBACCEPT tcp -- anywhere z.z.z.z state NEW tcp dpt:943
Chain FORWARD (policy ACCEPT)
target prot opt source destination
AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
AS0_OUT_S2C all -- anywhere anywhere
ACCEPT all -- 192.168.1.4 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
AS0_OUT_LOCAL all -- anywhere anywhere
Chain AS0_ACCEPT (5 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain AS0_IN (3 references)
target prot opt source destination
ACCEPT all -- anywhere DenLuGW
AS0_IN_POST all -- anywhere anywhere
Chain AS0_IN_NAT (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x8000000
ACCEPT all -- anywhere anywhere
Chain AS0_IN_POST (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.1.0/24
ACCEPT all -- anywhere 172.17.0.0/16
AS0_OUT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain AS0_IN_PRE (2 references)
target prot opt source destination
AS0_IN all -- anywhere 192.168.0.0/16
AS0_IN all -- anywhere 172.16.0.0/12
AS0_IN all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere anywhere
Chain AS0_IN_ROUTE (0 references)
target prot opt source destination
MARK all -- anywhere anywhere MARK or 0x4000000
ACCEPT all -- anywhere anywhere
Chain AS0_OUT (2 references)
target prot opt source destination
AS0_OUT_POST all -- anywhere anywhere
Chain AS0_OUT_LOCAL (1 references)
target prot opt source destination
DROP icmp -- anywhere anywhere icmp redirect
ACCEPT all -- anywhere anywhere
Chain AS0_OUT_POST (1 references)
target prot opt source destination
DROP all -- anywhere anywhere
Chain AS0_OUT_S2C (1 references)
target prot opt source destination
AS0_OUT all -- anywhere anywhere
Chain AS0_WEBACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Chain FORWARD_IN_ZONES (0 references)
target prot opt source destination
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
FWDI_public all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (0 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (0 references)
target prot opt source destination
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
FWDO_public all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (0 references)
target prot opt source destination
Chain FORWARD_direct (0 references)
target prot opt source destination
Chain FWDI_public (4 references)
target prot opt source destination
FWDI_public_log all -- anywhere anywhere
FWDI_public_deny all -- anywhere anywhere
FWDI_public_allow all -- anywhere anywhere
Chain FWDI_public_allow (1 references)
target prot opt source destination
Chain FWDI_public_deny (1 references)
target prot opt source destination
Chain FWDI_public_log (1 references)
target prot opt source destination
Chain FWDO_public (4 references)
target prot opt source destination
FWDO_public_log all -- anywhere anywhere
FWDO_public_deny all -- anywhere anywhere
FWDO_public_allow all -- anywhere anywhere
Chain FWDO_public_allow (1 references)
target prot opt source destination
Chain FWDO_public_deny (1 references)
target prot opt source destination
Chain FWDO_public_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (0 references)
target prot opt source destination
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
IN_public all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (0 references)
target prot opt source destination
Chain INPUT_direct (0 references)
target prot opt source destination
Chain IN_public (4 references)
target prot opt source destination
IN_public_log all -- anywhere anywhere
IN_public_deny all -- anywhere anywhere
IN_public_allow all -- anywhere anywhere
Chain IN_public_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
Chain IN_public_deny (1 references)
target prot opt source destination
Chain IN_public_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (0 references)
target prot opt source destination