How to apply iptables rules for my OpenVPN?

2

1

I'm trying to use iptables rules, but it doesn't work. In my case I want to block specific ip address, so that my client can not visit specific website.

I'm using VPS and my ifconfig look like this:

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0


tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0


venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255


venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:my first wan ip

venet0:1  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:my second wan ip

So, I'v tried like this, but still doesn't work:

/sbin/iptables -A OUTPUT -o tun -d --ip-- -j REJECT # blocked ip

mirsad

Posted 2016-05-07T13:20:17.813

Reputation: 175

Answers

2

If the rule should be on the OpenVPN client:

/sbin/iptables -A OUTPUT -o tun+ -d ip-address -j REJECT

(Also make sure that the request to the website you're trying to block isn't routed through different device.)

If the rule should be on OpenVPN server:

To block all requests to ip-address tunneled through OpenVPN server from clients on the virtual network:

/sbin/iptables -I FORWARD 1 -i tun+ -d ip-address -j REJECT

(This rule needs to be tested before the other permissive rules automatically allowing traffic to the VPN subnet.).

Marek Rost

Posted 2016-05-07T13:20:17.813

Reputation: 1 826

Ok, I'v tried that but still the connected client is able to visit that website. And what do you mean by routed through diffrent device? I did tcpdump -i tun0 and saw that traffic is going through that interface. – mirsad – 2016-05-07T13:53:40.120

i'm assuming that you're setting the firewall block on the client computer. If the website was available through venet0 device, it'd be still posible to view it from client just routed through different network device. But since you see the packets in tcpdump, it doesn't seem to be the case. Perhaps the website is available on multiple ip addresses (cloud-hosted)? Try blocking the domain instead? (this could be hidden in tcpdump, since it likes to resolve IPs to hostnames] – Marek Rost – 2016-05-07T14:07:45.643

I'm setting firewall on the server-side not client-side, in combination with openvpn. – mirsad – 2016-05-07T14:14:20.627

Sorry make it a bit more clear to me. You're setting the rule on OpenVPN server + You want to block all clients on the OpenVPN network from accessing website xyz forwarded through OpenVPN server + Website xyz is not hosted on OpenVPN server. – Marek Rost – 2016-05-07T14:23:37.013

Exactly like that. – mirsad – 2016-05-07T14:28:38.577

1Ah - in that case test it with FORWARD instead of OUTPUT. If that doesn't work, drop the tun0 device too and test again please. – Marek Rost – 2016-05-07T14:34:35.307

Asked: 2016-05-07T13:20:17.813

Viewed: 546 times

Active: 2016-05-07T15:28:53.200