LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-20-2014, 07:31 PM   #1
sunsina
LQ Newbie
 
Registered: Apr 2012
Posts: 3

Rep: Reputation: Disabled
Red face Blocking a subnet behind openvpn server using firewall


Hi,
I have a remote device which runs openvpn clients and is connects to my wokrplace OpenVPN server side (the interface implementation is TUN) and on the server side client-to-client and server-bridge is enabled in server side.

The openvpn server uses using tun21 device and the tun21 IP address is
10.8.0.1/255.255.255.0

The client side openvpn interface gets static ip address 10.8.0.101/255.255.255.0 (connects via tun11) from openvpns server.

Infact the open vpn server is running on a Tomato router that has several physical and virtual interfaces.

Following is the server side (Tomato router) interfaces:

br0 Link encap:Ethernet HWaddr BC:XX:7B:XXB:TT
inet addr:192.168.4.7 Bcast:192.168.4.255 Mask:255.255.255.0


tun21 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.1 P-t-P:10.8.0.2 Mask:255.255.255.255


vlan2 Link encap:Ethernet HWaddr 11:EE:7B:ZZ:YY:FF
inet addr:192.168.10.13 Bcast:192.168.10.255 Mask:255.255.255.0


The workplace internet connection (the only network cable that is connected to the OpenVPN server is to the WAN of tomato router).

The work place subnet is in range 192.168.10.0/24 and the LAN of Tomato router is 192.168.4.0/24 and the work place gives a static ip address 192.168.10.13 to the WAN port of the tomato router.

The problem is the openvpn client (with CommonName (CN) client_remote) can access to workplace subnet 192.168.10.0/24 without any restriction.

I want to block the access to workplace network (192.168.10.0/24) for all clients that their IP address are in range 192.168.42.0/24 and/or their clien VPN IF static IP is in range 10.8.0.101-10.8.0.121

I prefer not to take out server-bridge or client-to-client options (Since there are a huge number of clients that must have access to each other and evern workplace network - but very few with restricted access)
I am not sure if I have to use ebtables or iptables and what command I have to add in my firewall scripts.
Thanks in advance

Last edited by sunsina; 03-20-2014 at 07:32 PM.
 
Old 03-26-2014, 12:11 PM   #2
rawsarrow
LQ Newbie
 
Registered: Mar 2014
Posts: 5

Rep: Reputation: Disabled
iptables -A CUSTOMFORWARD -s 10.180.0.0/24 ! -d 192.168.0.155 -j DROP

this is the basic layout for blocking IP's in the /etc/sysconfig/firewall.local file


This is just a basic layout I hope it helps
Code:
 #!/bin/sh
  # Used for private firewall rules
 
  # See how we were called.
  case "$1" in
  start)
        ## add your 'start' rules here
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -d y.y.y.y -j ACCEPT
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -d a.a.a.a -j ACCEPT
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -j DROP
        ;;
  stop)
        ## add your 'stop' rules here
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -d y.y.y.y  -j ACCEPT
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -d a.a.a.a -j ACCEPT
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -j DROP
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
  case
 
  


Reply

Tags
block, firewall, iptables, openvpn, subnet


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Firewall blocking incoming SMTP coolvid86101 Linux - Server 3 05-21-2013 03:59 PM
Is blocking a subnet with iptables on the router a good way to protect a server? damgar Linux - Security 6 06-11-2012 04:40 PM
OpenVPN - Can't access other machines on the server's subnet quantamm Linux - Networking 1 07-01-2009 12:07 PM
Endian Firewall /OpenVPN server jurry rigging Lantzvillian Linux - Server 0 02-20-2008 02:15 AM
Firewall blocking the NFS server. ZAMO Linux - Security 3 12-17-2007 10:09 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 01:43 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration