How to control client to client connections with iptables?

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
wimboson
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 20, 2022 1:12 pm

How to control client to client connections with iptables?

Post by wimboson » Tue Dec 20, 2022 1:51 pm

Hallo.

I've been trying to control the traffic between my ovpn clients using iptables for days.

My setup:

Server Config

dev tun
proto tcp
port 443
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/Open-VPN.crt
key /etc/openvpn/easy-rsa/pki/private/Open-VPN.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
#push "dhcp-option DNS 192.168.178.2"
#push "block-outside-dns"
#push "redirect-gateway def1"
##client-to-client
client-config-dir /etc/openvpn/ccd
keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3


Client Config


client1:
ifconfig-push 10.8.0.15 255.255.255.0

client2:
ifconfig-push 10.8.0.25 255.255.255.0


I want to enable Client1 to connect to Client2, but Client2 is not allowed to connect to Client1.

If I allow everything:

iptables Config


*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT

*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE


Client1 and client2 can see each other and connect.

Now if i want to isolate client2:

iptables Config


*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A FORWARD -i tun0 -s 10.8.0.15/32 -d 10.8.0.25/32 -j ACCEPT
-A FORWARD -i tun0 -j DROP

*nat
:PREROUTING ACCEPT
:INPUT ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE


NOTHING works anymore, from both sides.
Forwarding is of course switched on on the server with 'net.ipv4.ip_forward=1'.

What I have also tried is to give each client a route individually in the ccd config:

Client Config

client1:
ifconfig-push 10.8.0.15 255.255.255.0
push "route 10.8.0.0 255.255.255.0"
....


All without success.
As soon as I try to block even one ip (even a completely different one) in the 10.8.0.0/24 network via iptables, nothing can be reached from any direction.

If someone has a tip or knows what I'm doing wrong I would be very happy about an answer.

Thanks in advance,
Wim
Top
User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: How to control client to client connections with iptables?

Post by ordex » Tue Dec 20, 2022 2:20 pm

FTR this problem is unrelated to OpenVPN.
When you have two hosts talking to each other, i.e. via a TCP connection, packets flow in *both* direction.
This means that even if it's Client1 connecting to Client2, packets will still flow also from Client2 to Client1.

Now, if you drop *every* packet going from .15 to .25 connections won't work anymore because one direction of the flow is totally blocked.
Top
wimboson
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 20, 2022 1:12 pm

Re: How to control client to client connections with iptables?

Post by wimboson » Tue Dec 20, 2022 4:20 pm

Ah, thanks for the hint.
I thought there was something like a nat-state table, but on the same network.
I have now done the following and it works.

iptables

*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun0 -s 10.8.0.15 -d 10.8.0.25 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -i tun0 -j DROP


Kind regards,
Wim
Top
Post Reply

Return to “Off Topic, Related”