Iptables – allow remote VPN users to access services running on server

firewalliptablesstrongswanvpn

I am trying to setup VPN server (strognswan) and allow remote users access services like redis, nginx, mongodb etc. via VPN only – users should not have access to internet via VPN.

I'am able to connect to VPN server and send ping (iptables is allowing that), but i can't separate Internet (my public IP) and VPN network (10.10.10.0/24).

When i opening port 8080 i can access service via VPN, but also it is visible from by public IP.

My question is, how setup iptables allowing VPN users to access services on server but block others users from Internet?

#ipsec.conf - left

left=#myPublicIP
leftid=@mydomain.com
leftsubnet=#myPublicIP/32
leftfirewall=yes
lefthostaccess=yes

Best Answer

You need to add commands that you're using to configure iptables to allow ports, because I think that you're missing some important options.

For example, if the VPN interface is named tap0, to open a port only for VPN clients you can use this form of command with iptables:

# iptables -A INPUT -i tap0 -m tcp -p tcp --dport 8080 -j ACCEPT

(pay attention to each parameter, expecially -A and the order of rules, which is very important on iptables)

Related Solutions

Iptables – Route a specific user’s traffic via VPN but still allow local networking

first add a firewall rules:

iptables -t mangle -A OUTPUT -m owner --uid USER -j MARK --set-mark 1
iptables -t nat -A POSTROUTING -m mark --mark 1 -j MASQUERADE

then add a routing rule:

ip rule add fwmark 0x1 table 100

and then add routes to your new routing table:

ip route add SOMEROUTE via SOMEGATEWAY table 100

Get Windows Firewall to allow connection from user coming in via VPN (Routing and Remote Access)

Couldn't comment due to low rep.

What kind of FTP server is it? Since I usually run Linux FTP servers, I would put the FTP server on a vLAN (on a different subnet). You could configure the VPN machines to connect to that subnet instead of the main subnet for the rest of the network by making the VPN Server a member of the vLAN network (with a virtual adapter). That would work well especially if the VPN machines connect to the internet through their own local networks instead of through the VPN tunnel (force tunnelling off). It really depends on your configuration though. My suggestion would be especially easy to implement if the FTP server is running as a virtual machine (then you just make it's adapter internal, and VPNs would connect through a bridge on the VPN server). Just some ideas. What is the exact setup you are using for your FTP and VPN servers? You said you are running FTP as a server role, so maybe you could consider setting it up as an Hyper-V client instead? I'm not a networking expert though, more familiar with VM setups where are the server components are kept discrete from each other (makes management easier IMHO).

Best Answer

Related Solutions

Iptables – Route a specific user’s traffic via VPN but still allow local networking

Get Windows Firewall to allow connection from user coming in via VPN (Routing and Remote Access)

Related Topic