Iptables - Configuring client-specific rules

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
sdighi
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 08, 2019 10:51 am

Iptables - Configuring client-specific rules

Post by sdighi » Fri Nov 08, 2019 11:04 am

Hi,
i have this configuration for OpenVPN.
ip lan: 192.168.0.16
ip tun: 10.8.0.1

i have this iptables config

Code: Select all

# Flushing all rules
iptables -F FORWARD
iptables -F INPUT
iptables -F OUTPUT
iptables -X

# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Accept outbound on the primary interface
iptables -I OUTPUT -o ens192 -d 0.0.0.0/0 -j ACCEPT

# Accept inbound TCP packets
iptables -I INPUT -i ens192 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow incoming SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# Allow incoming OpenVPN
iptables -A INPUT -p udp --dport 1194 -m state --state NEW -s 0.0.0.0/0 -j ACCEPT

# Enable NAT for the VPN
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun0 -j ACCEPT

# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A FORWARD -i tun0 -o ens192 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i ens192 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outbound access to all networks on the Internet from the VPN
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 0.0.0.0/0 -j ACCEPT

# Block client-to-client routing on the VPN
iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.8.0.0/24 -j DROP

openvpn is configured for assign static ip to the clients (10.8.0.2, 10.8.0.3, ecc)

i want permit only communication to certain ip in the network
Example:
10.8.0.2 -> 10.0.0.65
10.8.0.3 -> 10.0.0.64
10.8.0.4 -> all network

i read this: https://openvpn.net/community-resources ... -policies/
but the configuration no work.
can anybody help me? thanks

sdighi
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 08, 2019 10:51 am

Re: Iptables - Configuring client-specific rules

Post by sdighi » Wed Nov 13, 2019 9:34 am

the configuration required is related to iptables, thanks

Post Reply