LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 02-01-2015, 08:12 PM   #1
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,280

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Looking for ideas: Limiting what VPN clients can access


I have an OpenVPN server running on my router (my routers Tomato firmware includes OpenVPN). When away, I connect my laptop via VPN and have access to my home LAN. All works well.

What I want to add now, is have my sons router act as a VPN client to my VPN server. That should be easy enough to set up (his router runs Tomato also, and that includes VPN client). But I want his home LAN VPN'ed to my home LAN with very restricted access. Specifically, I want him to only be be able to access the DLNA media server on one of my home computers.

I am looking for suggestions of how best to accomplish this.

I was thinking of using iptables (also included in my routers Tomato firmware). I could possibly use this to allow my laptops MAC address, and ONLY my laptops MAC address, full access to my home LAN, and block all other MAC addresses access to my LAN except to the IP/Port(s) of the DLNA media server. I'm not really worried about MAC spoofing, because before even hitting the firewall rules, you'd have to be successfully VPN'ed in already.

The reason why I'm wanting to limit access is to protect my home network from potential viruses and other malware that could existing on my sons LAN. He runs what security software I tell him on his computer, so I feel he himself is pretty safe, but he does have friends that hook up their unknown laptops to his WiFi. I known, bad idea, but it's his house and his network.

I have considered and ruled out simply opening up my DLNA server to him using port forwarding. VPN is much more secure than port forwarding.

Does anyone have suggestions for better ways to implement the connection and security I'm after? Thanks in advance!
 
Old 02-01-2015, 09:18 PM   #2
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
I'm not familiar with VPN's, but using iptables should permit this
I've also minimal experience with forwarding (router) setup of iptables, but this should get you started.

iptables mac matching
https://www.frozentux.net/iptables-t....html#MACMATCH

If you only want yourself to be able to access the server from one MAC address
Code:
iptables -A INPUT -p tcp -m mac --mac-source 00:00:00:00:00:01 -j ACCEPT
If I read you right, you want anyone in your vpn to be able to access the media server, but nowhere else.

Code:
iptables -A INPUT -p tcp -s 192.168.1.1/24 -d 192.168.1.999 --dport 7000:8000 -j ACCEPT
-s = source ips or everything in LAN; -d destination ip (the media server) --dport destination ports
Ajust ip & port ranges as needed.

This link may be helpful as well
https://www.frozentux.net/iptables-tutorial/chunkyhtml/

Last edited by Miati; 02-01-2015 at 09:29 PM.
 
Old 02-03-2015, 01:08 PM   #3
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,280

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Thanks for the reply Miati. I am now checking into the idea of not using the MAC address, but rather the VPN server that is used. The firmware on my router allows two different VPN servers, given interface names of "tun21" and "tun22". I can set up iptables rules based on which interface is used by the VPN client. I would use tun21 myself, and have full access to my LAN. And I would have my son (and any other VPN'ers I allow in the future) use tun22 which would have very restricted access. Anyway, I'm still deciding on the best path. But as of right now, I think I'm starting to like basing things on the interface used, not the MAC address.
 
Old 02-03-2015, 08:30 PM   #4
polaris96
Member
 
Registered: Jan 2015
Distribution: Slackware, LFS, OpenIndiana, debian wheezy
Posts: 55

Rep: Reputation: Disabled
why not just forward the port for your media server? You can probably do that using native router functions.

Don't get me wrong, IPTABLES is great but if you only want him getting web or one service from your LAN, why not just set a port forwarding rule to handle it?
 
Old 02-04-2015, 09:15 AM   #5
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,280

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
Originally Posted by polaris96 View Post
why not just forward the port for your media server? You can probably do that using native router functions.

Don't get me wrong, IPTABLES is great but if you only want him getting web or one service from your LAN, why not just set a port forwarding rule to handle it?
There are two reasons.

(1) I don't want just anybody to get to my media server. Port forwarding would allow that. I could use iptables to provide some protection however. But VPN provides a more secure way of managing external users. Also, see (2) below.

(2) The media server I use, Plex Media Server, will require authentication if accessed from outside your LAN. This is hard coded into it. This authentication has to come from external Plex servers (owned by the company, not me). They call this a "Plex Account". I don't like a middle-man providing my security. As a matter of fact, there was a significant flaw within the last year in what Plex was doing that allowed unauthorized access. The fix was an immediate upgrade to their software. This illustrates exactly what I am afraid of when turning over security to a 3rd party. Plex is a media company, not a security company. So it is almost predictable that they would fall flat on their face regarding security issues. With VPN I can put external users on my LAN, thus bypassing the need to get Plex the 3rd party involved in authentication. My authentication is "you have to be successfully VPN'ed in the first place, and it's not easy to VPN into somebodys system that doesn't want you." Using VPN takes Plex (the 3rd party) totally out of the authentication process.
 
Old 02-04-2015, 11:39 AM   #6
Miati
Member
 
Registered: Dec 2014
Distribution: Linux Mint 17.*
Posts: 326

Rep: Reputation: 106Reputation: 106
Quote:
This is hard coded into it. This authentication has to come from external Plex servers (owned by the company, not me).
IMO, I don't like giving giving auth authority to external sources when controlling my own hardware!

Is there a reason you're using Plex? Seems like it's the weak-link. Perhaps use Network File System (NFS), Samba (CIFS), or good ol' SSH.
Samba would work best if anyone is using windows.

Since you're setup with coverage so that anyone trying to access would be in LAN and would otherwise be restricted, NFS & Samba would work well (SSH sftp works good anywhere )
 
Old 02-04-2015, 01:30 PM   #7
haertig
Senior Member
 
Registered: Nov 2004
Distribution: Debian, Ubuntu, LinuxMint, Slackware, SysrescueCD, Raspbian, Arch
Posts: 2,280

Original Poster
Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Media servers go far beyond simple file sharing mechanisms. That's why I use Plex. It's actually quite good, except for the security part. I imagine its security is at least as good as other products, which to me, is not saying much. I prefer to control my own security. If keep up to date, I trust OpenVPN, OpenSSH, OpenSSL and ... well, I guess that's pretty much it. I do also use NoMachine NX, but that runs on top of SSH/SSL handling the security part of things.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] PPTP VPN Server Issue w/VPN access AmberM Linux - Newbie 2 02-17-2014 11:34 AM
[SOLVED] Windows7 VPN clients behind Debian Gateway can not connect to Draytek VPN neopandid Linux - Server 3 09-01-2012 12:34 AM
VPN connects, can't ping or RDP from linux clients, but Win clients are fine davidbell.mscf Linux - Networking 1 02-28-2011 06:11 PM
Need suggestions/ideas on how to troubleshoot/fix vpn server issue gafir777 Linux - Server 2 01-13-2010 08:52 AM
need ideas: pulling files from PCs on VPN beeblequix Linux - Enterprise 5 12-01-2006 07:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 02:36 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration