server access control

bakulum · Post by **bakulum** » Sat Aug 27, 2022 11:49 am

Hi
How to set access to the server and services / ssh / webserver only for the client ?

In the Webmin panel I can see that the client is connected as IP 10.50.0.2 and its real IP xxxx.
But when I set hosts.allow in ssh settings to 10.50.0. I can not connect.
After entering the server's website, and then the website www.
php code. "REMOTE_ADDR" shows the client's relne ip, not the 10.50.0.2 IP

My machine:
Debian 10 / Webmin / Openvpn server
Server setting:
client> server

Code: Select all

iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


iptables -I INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.50.0.1/24 -o eth0 -j MASQUERADE
iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 10000 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 53 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 21 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 10000 -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 1194 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 1194 -j ACCEPT
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Server Config

port 1194
proto udp
dev tun0
ca keys/brcone/ca.crt
cert keys/brcone/server-brc.crt
key keys/brcone/server-brc.key
dh keys/brcone/dh2048.pem
topology subnet
server 10.50.0.0 255.255.255.0
crl-verify keys/brcone/crl.pem
ifconfig-pool-persist servers/VpnBcr/logs/ipp.txt
cipher AES-256-CBC
user nobody
group nogroup
status servers/VpnBcrrs/VpnBcr/logs/openvpn.log
verb 2
mute 20
max-clients 100
management 127.0.0.1 1024
keepalive 10 120
client-config-dir /etc/openvpn/servers/VpnBcr/ccd
comp-lzo
persist-key
persist-tun/logs/openvpn-status.log
log-append serve
float
ccd-exclusive
topology subnet
auth SHA512
#push "dhcp-option DNS 8.8.8.8"
#push "redirect-gateway def1 bypass-dhcp"

TinCanTech · Post by **TinCanTech** » Sat Aug 27, 2022 1:11 pm

We don't really support webmin here, however:

bakulum wrote: ↑
Sat Aug 27, 2022 11:49 am
iptables -t nat -A POSTROUTING -s 10.50.0.1/24 -o eth0 -j MASQUERADE

is incorrect.

The correct source address (in your case) is 10.50.0.0/24

OpenVPN Support Forum

server access control

server access control

Re: server access control