LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-09-2014, 03:13 AM   #1
turalo
Member
 
Registered: Sep 2005
Location: NL
Distribution: linux, windows,
Posts: 115

Rep: Reputation: 19
Question How to block any acces from Public IP and allow only local via VPN


Hi guys,

I need little help with configuring my iptables.

I have 1 server on a Public IP adress. this server has a webserver on it, apache. wich is accesable on port 80 and 9080.
Normally this web server is accesable for the public.

I want to change this. I want to make sure that it's only accesable for the local users on IP : 192.168.0.x
I have installed the default pptpd vpn server on this machine, so I can make vpn connection with it.
so only users that are connected by VPN and get IP : 192.168.0.x can acces the webserver all other requests from public IP should be rejected.

Now, I have also webmin on this server. so I can manage the iptables via GUI,
I have tryed to change the web acces rule, and set Source IP to : 192.168.0.1 but that does not work.
If I set to reject all then it works, but not when I say only 192. IP adress. then it just works for public too.

please help.

thanks in advance.

Last edited by turalo; 10-09-2014 at 03:14 AM.
 
Old 10-09-2014, 10:35 AM   #2
nmo
LQ Newbie
 
Registered: Jul 2014
Distribution: Debian
Posts: 21

Rep: Reputation: 8
While I agree this could be done with iptables rules, I think it may be simpler and more effective to handle this from your web server configuration. You should be able to bind the web server to a specific IP address. That will make it only listen on that ip.
 
Old 10-09-2014, 11:11 AM   #3
turalo
Member
 
Registered: Sep 2005
Location: NL
Distribution: linux, windows,
Posts: 115

Original Poster
Rep: Reputation: 19
Quote:
Originally Posted by nmo View Post
While I agree this could be done with iptables rules, I think it may be simpler and more effective to handle this from your web server configuration. You should be able to bind the web server to a specific IP address. That will make it only listen on that ip.


that is an option, but then I will have to do that also with webmin, and other things like ssh etc...
I thought it would be much simpler if I'd do that in ip tables, not altering with any internal settings.
 
Old 10-09-2014, 11:15 AM   #4
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,278

Rep: Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694Reputation: 1694
Can you provide a quicklist of things that you need to be accessible from External and Internal? Eg:

External:
  • SSH
  • Webmin

Internal:
  • Port 8888
  • Telnet
  • FTP

Giving you one rule might mess everything up, if we are not aware of your full configuration intentions.
 
Old 10-09-2014, 01:17 PM   #5
turalo
Member
 
Registered: Sep 2005
Location: NL
Distribution: linux, windows,
Posts: 115

Original Poster
Rep: Reputation: 19
Quote:
Originally Posted by szboardstretcher View Post
Can you provide a quicklist of things that you need to be accessible from External and Internal? Eg:

External:
  • SSH
  • Webmin

Internal:
  • Port 8888
  • Telnet
  • FTP

Giving you one rule might mess everything up, if we are not aware of your full configuration intentions.


It's basicly a voip server, I only need voip signalling and rtp it's 5060 and 10000-20000. and for the vpn 1723.
all others I have blocked, but I do need ssh and web from inside / for the users that come via vpn and get 192... ip


So normally when It should work on iptables, but somehow it's not.

all other ports are blocked well, I have tested it. and if I block the web and ssh, with drop it works too, but then it also blocks acces for vpn 192... local users.

thanks in advance.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Forward public IP to local IP - can't ping host in public IP subnet raczkowski1 Linux - Networking 2 03-25-2012 11:17 AM
ssh public key auth without root acces possible ? mrbiomathe Linux - Newbie 2 11-29-2009 02:11 PM
sharing VPN access with lan + after vpn connected unable to ping lan/public ip xxx_anuj_xxx Linux - Networking 1 03-14-2008 02:50 AM
getting acces to a local network from the exterior rm22 Linux - Networking 1 02-04-2008 01:13 PM
can't acces local network webserver as user adibuta Slackware 4 01-13-2006 03:52 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration