LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page Block access to VPN users
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 11-07-2008, 06:12 PM   #1
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Rep: Reputation: 15
Block access to VPN users

Hi,

Is there a way to block access to vpn users by using pptpd server to access some servers or port on the same lan?.

For example:

I got my range port on pptpd as 192.168.2.100 to 150 and I want to block access to my db server at ip 192.168.2.20 and also to some services on the router, which are SSH.

Or to allow those vpn users to access to one server only.

Thanks in advanced.

Please help.
 
Old 11-07-2008, 06:14 PM   #2
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 120Reputation: 120
Why don't you use iptables to block requests from you vpn net?
 
Old 11-07-2008, 07:52 PM   #3
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Original Poster
Rep: Reputation: 15
I canīt block VPN access since it is needed by commuters employees and external company's branch, that's why i need to block access to some ports on the BD server and some services running on the router side.
 
Old 11-07-2008, 08:15 PM   #4
billymayday
Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 120Reputation: 120
I wasn't suggesting you block everything, just requests from the vpn to servers you don't want to give access to or to ports you don't allow.
 
Old 11-09-2008, 03:37 AM   #5
spide21
LQ Newbie
 
Registered: Nov 2005
Distribution: Fedora Core 11
Posts: 23

Original Poster
Rep: Reputation: 15
Thumbs up
After doing a hard reading and googling i found the way to do it.

This is how to block vpn users:

block ssh on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block a special service on the router
iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 81 -d 192.168.2.1 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.1 -m tcp --sport 81 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP

block ssh on the dummy-data server

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m tcp --dport 22 -d 192.168.2.20 -j DROP
iptables -I OUTPUT -p tcp -s 192.168.2.20 -m tcp --sport 22 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP
iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,21 -d 192.168.2.20 -j DROP

Block access to another test server

iptables -t nat -I PREROUTING -p tcp -m tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I INPUT -p tcp -i pptp+ -m iprange --src-range 192.168.2.100-192.168.2.150 -m multiport --dports 22,8080,1723,10000,21 -d 192.168.2.19 -j DROP

iptables -I OUTPUT -p tcp -s 192.168.2.19 -m multiport --sports 22,1723,8080,10000,21 -m iprange --dst-range 192.168.2.100-192.168.2.150 -j DROP
Last edited by spide21; 11-14-2008 at 10:15 AM. Reason: fixing the code
 
  


Reply

Tags
access, block, users, vpn


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Block access to CDROM for some users (or all users) emil_jfb Linux - Hardware 3 07-21-2008 01:21 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 01:00 PM
LXer: How to: Restrict Users to SCP and SFTP and Block SSH Shell Access with rssh LXer Syndicated Linux News 0 01-02-2008 11:00 AM
Block VPN access with IPChains ssukumar Linux - Newbie 1 10-03-2003 01:00 PM
Block VPN access with IPChains ssukumar Linux - Networking 0 10-03-2003 11:22 AM


All times are GMT -5. The time now is 11:02 AM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration