I have a large OpenVPN network. Most of the addresses have free access to one another. However a few IPs need to be restricted to only a couple of other IPs.
For example 10.8.0.6 can only be allowed to communicate with 10.8.0.10.. But 10.8.0.10 and all the other addresses in the subnet can communicate with each other without restriction. Will the following iptables code accomplish this?
# allow communication between 10.8.0.6 and 10.8.0.10, deny any additional
# access to 10.8.0.6
iptables -A FORWARD -s 10.180.0.6 -d 10.8.0.10 -j ACCEPT
iptables -A FORWARD -s 10.180.0.10 -d 10.8.0.6 -j ACCEPT
iptables -A FORWARD -s 10.180.0.6 -j DROP
# Begin required lines for server operation
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/16 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq restart
# End required lines for server operation
Thanks
You are correct, it should've been 10.8.x.x. BUT, it's still not working. The addresses I'm trying to restrict still have access to all the servers. Here's my current rc.local
# Begin access restriction lines
# eg. allow communication between 10.8.0.122 and 10.8.0.58, deny any additional$
# client access only to certain systems
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.58 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.66 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.70 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.62 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -j DROP
# client access only to certain systems
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.58 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.66 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.70 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.62 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -j DROP
# End access restriction lines
# Begin required lines for server operation
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/16 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE
/etc/init.d/dnsmasq restart
# End required lines for server operation
exit 0
Thanks
UPDATE:
output of iptables -L -v -n
root@li590-32:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 2455K packets, 430M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4597K 2770M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
32180 1813K ACCEPT all -- * * 10.8.0.0/16 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.8.0.0/16 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.8.0.0/16 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 ACCEPT all -- * * 10.8.0.122 10.8.0.58
0 0 ACCEPT all -- * * 10.8.0.122 10.8.0.66
0 0 ACCEPT all -- * * 10.8.0.122 10.8.0.70
0 0 ACCEPT all -- * * 10.8.0.122 10.8.0.62
0 0 DROP all -- * * 10.8.0.122 0.0.0.0/0
0 0 ACCEPT all -- * * 10.8.0.126 10.8.0.58
0 0 ACCEPT all -- * * 10.8.0.126 10.8.0.66
0 0 ACCEPT all -- * * 10.8.0.126 10.8.0.70
0 0 ACCEPT all -- * * 10.8.0.126 10.8.0.62
0 0 DROP all -- * * 10.8.0.126 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 10.8.0.0/16 0.0.0.0/0
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT 3144K packets, 2737M bytes)
pkts bytes target prot opt in out source destination
Best Answer
The first three lines refer to 10.180.x.x when I think you meant 10.8.x.x ?
If so, the line
iptables -A FORWARD -s 10.180.0.10 -d 10.8.0.6 -j ACCEPT
is unnecessary.Otherwise looks good.