iprange -dst-range on vpn
hello
i don't understand the difference between option -d and iprange example: this works -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT this doesn't work -A OUTPUT -p udp -m udp -m iprange --dst-range 37.120.217.84-37.120.217.170 --dport 1194 -j ACCEPT my iptables: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT # Set a default DROP policy. *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] # Allow basic INPUT traffic. -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT # Allow basic OUTPUT traffic. -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT # Allow traffic to the OpenVPN server and via the tunnel. -A OUTPUT -o proton0 -j ACCEPT -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 5060 -j ACCEPT -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 9050 -j ACCEPT -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 4569 -j ACCEPT # Reject everything else. -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-port-unreachable -A FORWARD -j REJECT --reject-with icmp-port-unreachable -A OUTPUT -j REJECT --reject-with icmp-port-unreachable COMMIT |
I don't know exactly what you mean when you say that the second rule doesn't work (I see that the IPs are different, but I'm guessing you understand that), but the difference is that with with iprange you can give it an arbitrary ip range, regardless of subnetting. So you don't need to specify a network mask, like you do with -d. (with -d not specifying a network mask means only the ip itself, of course).
|
hi
i wonna set a vpn, as you see. but i'd like to put only the server range: example: ####server UK -A OUTPUT -p udp -m udp -m iprange --dst-range 103.107.197.35-103.107.197.127 --dport 1194 -j ACCEPT i can't get connection with this rule. only this i can get connection: ##server UK -A OUTPUT -p udp -m udp -d 103.107.197.0/24 --dport 1194 -j ACCEPT sure, i have to learn more about iptbles thanks |
So you're setting up these rules on the client side, if I understand correctly?
If yes, then the iprange rule is correct in and of itself. But that's not a perfect overlap. /24 means .1-.254, whereas your iprange rule is restricted to .35-.127. So if your vpn server does not belong to that range, of course it won't work. Other than that there's no difference between -d and iprange. |
Quote:
yes, it's a client and yes: the range belongs to the server. i wish to narrow it down. I need to study more thanks |
Quote:
Code:
iptables -I OUTPUT -p udp -m udp --dport 1194 -j LOG --log-prefix "OVPN: " --log-level 4 If you use centos/alma/rocky/rhel, then add the uncommented line in /etc/rsyslog.conf and check /var/log/kern. Code:
#kern.* /dev/console |
All times are GMT -5. The time now is 09:33 AM. |