Restricting access for specific user (No internet)
Posted: Mon Nov 03, 2014 9:16 pm
Hi
I have been scratching my head quite a lot last few hours experimenting a lot trying to restrict access for a specific user.
What I want to achieve:
I have a ex who I used to live with and she had specific data in a database hosted on my server, now that we separated I was thinking of allowing her to access her data since she lacks the equipment to run a 24/7 server.
However, if I allow her to connect to my network then I want to block access to internet and other LAN hosts except the server where the database is, which happens to be the VPN server itself (local ip 192.168.1.123)
I added a user with a fixed ip different from my other openvpn users (10.8.2.5 instead of 10.8.0.x)
This is where my trouble starts a bit, I figured out I should block with iptables, however I have only successfully blocked access to the specific host (192.168.1.123) rather than blocking internet or other hosts on the network.
I tried with
sudo iptables -A INPUT -s 10.8.2.5 -j DROP
sudo iptables -A OUTPUT -d 10.8.2.5 -j DROP
But this only ending up blocking the 192.168.1.123 rather than rest of the LAN.
since im running a NAT server so I have run masquerade and I have a feeling it is one of the core issues here, commands issued at boot is:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.123
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
so am I running in circles here or just thinking wrong? Is it even possible with my current setup?
Internet is accessed from router at 192.168.1.1
I have been scratching my head quite a lot last few hours experimenting a lot trying to restrict access for a specific user.
What I want to achieve:
I have a ex who I used to live with and she had specific data in a database hosted on my server, now that we separated I was thinking of allowing her to access her data since she lacks the equipment to run a 24/7 server.
However, if I allow her to connect to my network then I want to block access to internet and other LAN hosts except the server where the database is, which happens to be the VPN server itself (local ip 192.168.1.123)
I added a user with a fixed ip different from my other openvpn users (10.8.2.5 instead of 10.8.0.x)
This is where my trouble starts a bit, I figured out I should block with iptables, however I have only successfully blocked access to the specific host (192.168.1.123) rather than blocking internet or other hosts on the network.
I tried with
sudo iptables -A INPUT -s 10.8.2.5 -j DROP
sudo iptables -A OUTPUT -d 10.8.2.5 -j DROP
But this only ending up blocking the 192.168.1.123 rather than rest of the LAN.
since im running a NAT server so I have run masquerade and I have a feeling it is one of the core issues here, commands issued at boot is:
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to 192.168.1.123
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
so am I running in circles here or just thinking wrong? Is it even possible with my current setup?
Internet is accessed from router at 192.168.1.1