I tried this article: http://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/ but had no luck.
I'm new to iptables. Can you please have a look at my configuration?
Docker container (I'm using this one: https://github.com/kylemanna/docker-openvpn) is run in host network mode
I'm using Centos7 with firewalld disabled and iptables installed and enabled.
ip_forward is enabled.
# sysctl net.ipv4.ip_forward net.ipv4.ip_forward = 1
redirect-gateway def1 is turned off as I don't need to route internet traffic through vpn server.
Here are initial iptables rules.
[root]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination Chain DOCKER-ISOLATION (1 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere
Every client has a configuration file in ccd directory with a static IP.
Here's how I do it for one of clients ifconfig-push 10.8.0.102 10.8.0.1
In my openvpn.conf I have client-to-client directive disabled.
I have tun0 iface and 10.8.0.0/24 network.
First off, I allow already established connections:
iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
Then I set forward rules for 2 clients can reach each other:
iptables -A FORWARD -s 10.8.0.10 -d 10.8.0.102 -j ACCEPT iptables -A FORWARD -s 10.8.0.102 -d 10.8.0.10 -j ACCEPT
After all it doesn't work. When I perform ping 10.8.0.102 from my MAC (which has ip 10.8.0.10) I get:
➜ ~ ping 10.8.0.102 PING 10.8.0.102 (10.8.0.102): 56 data bytes 36 bytes from gwr-vl-201.**** (***.**.**.133): Communication prohibited by filter Vr HL TOS Len ID Flg off TTL Pro cks Src Dst 4 5 00 5400 29e3 0 0000 3d 01 8749 192.168.1.103 10.8.0.102
192.168.1.103 – is my LAN address
Here's my route table on a mac:
➜ ~ netstat -nr Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.1.1 UGSc 65 0 en0 10.8.0.1 10.8.0.10 UH 0 0 utun1 46.101.242.41/32 192.168.1.1 UGSc 0 0 en0 127 127.0.0.1 UCS 0 0 lo0 127.0.0.1 127.0.0.1 UH 24 2286 lo0 169.254 link#4 UCS 0 0 en0 192.168.1 link#4 UCS 0 0 en0 192.168.1.1/32 link#4 UCS 2 0 en0 192.168.1.1 84:16:f9:c5:c4:da UHLWIir 63 26 en0 1043 192.168.1.103/32 link#4 UCS 0 0 en0 224.0.0/4 link#4 UmCS 1 0 en0 224.0.0.251 1:0:5e:0:0:fb UHmLWI 0 0 en0 255.255.255.255/32 link#4 UCS 0 0 en0
And my route table on the server:
[]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 217.182.88.1 0.0.0.0 UG 100 0 0 eth0 10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0 10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0 172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0 172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-44c0269fbf91 217.**.**.1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0 217.**.**.**1 0.0.0.0 255.255.255.255 UH 100 0 0 eth0
What am I missing?
Thanks in advance!
Best Answer
I finally got it to work!
All I had to do is add
push "route 10.8.0.0 255.255.255.0"to the server config.After that I can create arbitrary iptables forward rules (as I did in the post above) and then add
to deny everything else.