Iptables – Openvpn – enabled traffic forwarding but want to restrict it

iptablesopenvpn

I have a server client openvpn setup with all client traffic directed through the tunnel via udp. Id like to restrict what type of applications the client can use whilst connected to my vpn. To begin with id just like the clients to be able to browse.

How would you go about doing this with iptables?

At what end would you place these restrictions, i.e on the servers tun adapter or its public facing eth0 adapter?

******* UPDATE *****
as per PQDs suggestion i updated my iptables but for some reason its allowing traffic on other ports to be forwarded. To test I tried downloading ubuntu via torrent as a client on my vpn and it worked fine when it shouldnt (the port number in the torrent client is not to blame).

Can anyone spot a mistake in my iptables?

#!/bin/bash


SERVER_IP="***.***.***.***"
HOME_IP="***.***.***.***"
CLIENT_IP_RANGE="***.***.***.***/**"
# Flush all current rules from iptables
 iptables -F

# Allow SSH connections on tcp port 22

 iptables -A INPUT -p tcp --dport 22 -s $HOME_IP -j ACCEPT
 iptables -A OUTPUT -p tcp --sport 22 -d $HOME_IP -j ACCEPT

#Only ping my server from my home 
 iptables -A INPUT -p icmp --icmp-type 8 -s $HOME_IP -j ACCEPT

# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT

# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT

# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Setup OpenVpn
 iptables -A INPUT -i tun+ -j ACCEPT
 iptables -A OUTPUT -o tun+ -j ACCEPT
 iptables -A INPUT -i venet0 -p udp --dport 1194 -j ACCEPT
 iptables -A INPUT -i venet0 -p tcp --dport 1194 -j ACCEPT
 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A FORWARD -s $CLIENT_IP_RANGE -p tcp --dport 80 -j ACCEPT
 iptables -A FORWARD -s $CLIENT_IP_RANGE -p tcp --dport 8000 -j ACCEPT
 iptables -A FORWARD -s $CLIENT_IP_RANGE -p icmp -j ACCEPT
 iptables -A FORWARD -s $CLIENT_IP_RANGE -j DROP
#Setup NAT for openvpn
 iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE

# Save settings
#
 /sbin/service iptables save

update with iptables -nL FORWARD

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
ACCEPT     tcp  --  10.254.1.0/24        0.0.0.0/0           tcp dpt:80
ACCEPT     tcp  --  10.254.1.0/24        0.0.0.0/0           tcp dpt:8000
ACCEPT     icmp --  10.254.1.0/24        0.0.0.0/0
DROP       all  --  10.254.1.0/24        0.0.0.0/0

Best Answer

i would do it just based on source ip [ in this example i assume vpn users have addreses from 10.0.15.0/24 ]:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s 10.0.15.0/24 -p tcp --dport 80 --j ACCEPT
iptables -A FORWARD -s 10.0.15.0/24 -p icmp --j ACCEPT
iptables -A FORWARD -s 10.0.15.0/24 --j DROP

do remember that smarter users might tunnel unwanted traffic over http/https

Related Topic