LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-07-2008, 05:12 PM   #1
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Rep: Reputation: 15
Block access to VPN users


Hi,

Is there a way to block access to vpn users by using pptpd server to access some servers or port on the same lan?.

For example:

I got my range port on pptpd as 192.168.2.100 to 150 and I want to block access to my db server at ip 192.168.2.20 and also to some services on the router, which are SSH.

Or to allow those vpn users to access to one server only.

Thanks in advanced.

Please help.
 
Old 11-07-2008, 05:14 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Why don't you use iptables to block requests from you vpn net?
 
Old 11-07-2008, 06:52 PM   #3
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Original Poster
Rep: Reputation: 15
I canīt block VPN access since it is needed by commuters employees and external company's branch, that's why i need to block access to some ports on the BD server and some services running on the router side.
 
Old 11-07-2008, 07:15 PM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
I wasn't suggesting you block everything, just requests from the vpn to servers you don't want to give access to or to ports you don't allow.
 
Old 11-09-2008, 02:37 AM   #5
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Original Poster
Rep: Reputation: 15
Thumbs up

After doing a hard reading and googling i found the way to do it.

This is how to block vpn users:

block ssh on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block a special service on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 81 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 81 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block ssh on the dummy-data server

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.20 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.20 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP
iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,21 -d 192.168.2.20 -j DROP

Block access to another test server

iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I OUTPUT -p tcp -s 192.168.2.19 -m multiport --sports 22,1723,8080,10000,21 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

Last edited by spide21; 11-14-2008 at 09:15 AM. Reason: fixing the code
 
  


Reply

Tags
access, block, users, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Block access to CDROM for some users (or all users) emil_jfb Linux - Hardware 3 07-21-2008 12:21 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 12:00 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 10:00 AM
Block VPN access with IPChains ssukumar Linux - Newbie 1 10-03-2003 12:00 PM
Block VPN access with IPChains ssukumar Linux - Networking 0 10-03-2003 10:22 AM


All times are GMT -5. The time now is 01:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration