LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Block access to VPN users (http://www.linuxquestions.org/questions/linux-security-4/block-access-to-vpn-users-681864/)

spide21 11-07-2008 06:12 PM

Block access to VPN users
 
Hi,

Is there a way to block access to vpn users by using pptpd server to access some servers or port on the same lan?.

For example:

I got my range port on pptpd as 192.168.2.100 to 150 and I want to block access to my db server at ip 192.168.2.20 and also to some services on the router, which are SSH.

Or to allow those vpn users to access to one server only.

Thanks in advanced.

Please help.

billymayday 11-07-2008 06:14 PM

Why don't you use iptables to block requests from you vpn net?

spide21 11-07-2008 07:52 PM

I canīt block VPN access since it is needed by commuters employees and external company's branch, that's why i need to block access to some ports on the BD server and some services running on the router side.

billymayday 11-07-2008 08:15 PM

I wasn't suggesting you block everything, just requests from the vpn to servers you don't want to give access to or to ports you don't allow.

spide21 11-09-2008 03:37 AM

After doing a hard reading and googling i found the way to do it.

This is how to block vpn users:

block ssh on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block a special service on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 81 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 81 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block ssh on the dummy-data server

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.20 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.20 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP
iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,21 -d 192.168.2.20 -j DROP

Block access to another test server

iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I OUTPUT -p tcp -s 192.168.2.19 -m multiport --sports 22,1723,8080,10000,21 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP


All times are GMT -5. The time now is 02:37 AM.