Block clients from accessing TCP port on server?

[muzicman0]

I have been trying to figure out a way to block clients from accessing a specific port on the OpenVPN server itself. I assume I need to use IPTables, but I just can't get my head wrapped around it. I also assume it should be applied to the tun0 interface, but I am not 100% sure on that.

An example would be I need to block 10.8.0.6 (the client's OpenVPN address) from reaching tcp port 4555 on the actual Open VPN server.

Can anyone help out with this?

[Pippin]

I also assume it should be applied to the tun0 interface

Indeed, take a look here:
https://community.openvpn.net/openvpn/w ... acketsFlow

[muzicman0]

This (and variations) is what I have tried, and nothing seems to work. I even tried UDP just to make sure I wasn't wrong on the protocol.

Code: Select all

iptables -A FORWARD -i tun0 -p tcp --destination-port 4555 -s 10.8.0.6 -j DROP
iptables -A INPUT -i tun0 -p tcp --destination-port 4555 -s 10.8.0.6 -j DROP

Any help would be greatly appreciated, and thanks for the response.

For reasons I won't go into, I need to open up the management of OpenVPN to something other than localhost, but ultimately, it ends up that all the clients are able to access it as well. So that is what I am trying to block (but I want my client to actually be able to access it).

(and before anyone asks, the IP addresses, ports, etc are not real - just an example that I can use to extrapolate the info)

[muzicman0]

so it turned out I had a rule in UFW that was allowing my port through. Once I deleted the UFW rule, then it started working as I expect. The final rule was:

Code: Select all

iptables -A INPUT -i tun0 -p tcp --destination-port 4555 -s 10.8.0.6 -j ACCEPT

Which allows only my client to get to that port, and all the rest are dropped (default policy on INPUT is drop).