Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 03-20-2014, 07:31 PM   #1
LQ Newbie
Registered: Apr 2012
Posts: 3

Rep: Reputation: Disabled
Red face Blocking a subnet behind openvpn server using firewall

I have a remote device which runs openvpn clients and is connects to my wokrplace OpenVPN server side (the interface implementation is TUN) and on the server side client-to-client and server-bridge is enabled in server side.

The openvpn server uses using tun21 device and the tun21 IP address is

The client side openvpn interface gets static ip address (connects via tun11) from openvpns server.

Infact the open vpn server is running on a Tomato router that has several physical and virtual interfaces.

Following is the server side (Tomato router) interfaces:

br0 Link encap:Ethernet HWaddr BC:XX:7B:XXB:TT
inet addr: Bcast: Mask:

tun21 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr: P-t-P: Mask:

vlan2 Link encap:Ethernet HWaddr 11:EE:7B:ZZ:YY:FF
inet addr: Bcast: Mask:

The workplace internet connection (the only network cable that is connected to the OpenVPN server is to the WAN of tomato router).

The work place subnet is in range and the LAN of Tomato router is and the work place gives a static ip address to the WAN port of the tomato router.

The problem is the openvpn client (with CommonName (CN) client_remote) can access to workplace subnet without any restriction.

I want to block the access to workplace network ( for all clients that their IP address are in range and/or their clien VPN IF static IP is in range

I prefer not to take out server-bridge or client-to-client options (Since there are a huge number of clients that must have access to each other and evern workplace network - but very few with restricted access)
I am not sure if I have to use ebtables or iptables and what command I have to add in my firewall scripts.
Thanks in advance

Last edited by sunsina; 03-20-2014 at 07:32 PM.
Old 03-26-2014, 12:11 PM   #2
LQ Newbie
Registered: Mar 2014
Posts: 5

Rep: Reputation: Disabled
iptables -A CUSTOMFORWARD -s ! -d -j DROP

this is the basic layout for blocking IP's in the /etc/sysconfig/firewall.local file

This is just a basic layout I hope it helps
  # Used for private firewall rules
  # See how we were called.
  case "$1" in
        ## add your 'start' rules here
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -d y.y.y.y -j ACCEPT
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -d a.a.a.a -j ACCEPT
        iptables -A CUSTOMFORWARD -s x.x.x.x/24 -j DROP
        ## add your 'stop' rules here
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -d y.y.y.y  -j ACCEPT
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -d a.a.a.a -j ACCEPT
        iptables -D CUSTOMFORWARD -s x.x.x.x/24 -j DROP
        $0 stop
        $0 start
        ## add your 'reload' rules here
        echo "Usage: $0 {start|stop|reload}"


block, firewall, iptables, openvpn, subnet

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Server Firewall blocking incoming SMTP coolvid86101 Linux - Server 3 05-21-2013 03:59 PM
Is blocking a subnet with iptables on the router a good way to protect a server? damgar Linux - Security 6 06-11-2012 04:40 PM
OpenVPN - Can't access other machines on the server's subnet quantamm Linux - Networking 1 07-01-2009 12:07 PM
Endian Firewall /OpenVPN server jurry rigging Lantzvillian Linux - Server 0 02-20-2008 02:15 AM
Firewall blocking the NFS server. ZAMO Linux - Security 3 12-17-2007 10:09 AM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:45 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration