I have a server client openvpn setup with all client traffic directed through the tunnel via udp. Id like to restrict what type of applications the client can use whilst connected to my vpn. To begin with id just like the clients to be able to browse.
How would you go about doing this with iptables?
At what end would you place these restrictions, i.e on the servers tun adapter or its public facing eth0 adapter?
******* UPDATE *****
as per PQDs suggestion i updated my iptables but for some reason its allowing traffic on other ports to be forwarded. To test I tried downloading ubuntu via torrent as a client on my vpn and it worked fine when it shouldnt (the port number in the torrent client is not to blame).
Can anyone spot a mistake in my iptables?
#!/bin/bash
SERVER_IP="***.***.***.***"
HOME_IP="***.***.***.***"
CLIENT_IP_RANGE="***.***.***.***/**"
# Flush all current rules from iptables
iptables -F
# Allow SSH connections on tcp port 22
iptables -A INPUT -p tcp --dport 22 -s $HOME_IP -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -d $HOME_IP -j ACCEPT
#Only ping my server from my home
iptables -A INPUT -p icmp --icmp-type 8 -s $HOME_IP -j ACCEPT
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Set access for localhost
#
iptables -A INPUT -i lo -j ACCEPT
# Accept packets belonging to established and related connections
#
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Setup OpenVpn
iptables -A INPUT -i tun+ -j ACCEPT
iptables -A OUTPUT -o tun+ -j ACCEPT
iptables -A INPUT -i venet0 -p udp --dport 1194 -j ACCEPT
iptables -A INPUT -i venet0 -p tcp --dport 1194 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -s $CLIENT_IP_RANGE -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s $CLIENT_IP_RANGE -p tcp --dport 8000 -j ACCEPT
iptables -A FORWARD -s $CLIENT_IP_RANGE -p icmp -j ACCEPT
iptables -A FORWARD -s $CLIENT_IP_RANGE -j DROP
#Setup NAT for openvpn
iptables -t nat -A POSTROUTING -o venet0 -j MASQUERADE
# Save settings
#
/sbin/service iptables save
update with iptables -nL FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
ACCEPT tcp -- 10.254.1.0/24 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 10.254.1.0/24 0.0.0.0/0 tcp dpt:8000
ACCEPT icmp -- 10.254.1.0/24 0.0.0.0/0
DROP all -- 10.254.1.0/24 0.0.0.0/0
Best Answer
i would do it just based on source ip [ in this example i assume vpn users have addreses from 10.0.15.0/24 ]:
do remember that smarter users might tunnel unwanted traffic over http/https