Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] How to restrict tunneled connection via fw-rules?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
lfhelper
n00b
n00b


Joined: 14 Dec 2006
Posts: 14

PostPosted: Mon Jun 23, 2014 10:36 am    Post subject: [SOLVED] How to restrict tunneled connection via fw-rules? Reply with quote

Hi all,

I have secure/tunneled connections to foreign networks via redsocks from one of my servers.

Now all I want to achive is restricting the use of this foreign network to 1 single IP adress and 1 port (22/ssh).

By googling I found the correct ufw & iptables commands from which I am confident that they are correct, so I'm not going to post them here.

The rules however don't work anyway and I think it's because of the tunneling aspect and not because the rules are incorrect (I think they are just fine).

Networks:

192.168.0.0/24 local network
10.0.0.0/8 foreign network only reachable via tunneling program

By starting the tunneling program one has access to every IP address/server and every port/service in the 10.0.0.0/8 network from my server - no restrictions whatsoever.

I wanna "pick" one IP address, say 10.0.1.2, and allow only 22/tcp (ssh) to that IP from my local server. All other IP's and services in the 10.0.0.0/8 network must be forbidden.

The FW rules are only applied on my local server btw 192.168.0.1, not the foreign servers.

Is that possible at all and if so, what is the solution?

Thanks for your inputs in advance, much appreciated.


EDIT:

I have resolved the issue.

Problem was that iptables -L did not show all iptables rules, only the filter rules (missing nat rules for redirecting / tunneling).
The solution was to display the iptables rules via iptables-save before and after starting the tunneling software.
Then I saved the iptables rules after starting the tunneling software into a file, I could then identify all the NAT/PREROUTING and REDIRECT rules and then simply restrict access based on that.
I changed the rules and saved them to a separate file and finally restored the rules via "iptables-restore -c < altered-rules.txt" and that was basically it!


Last edited by lfhelper on Tue Jun 24, 2014 3:50 pm; edited 2 times in total
Back to top
View user's profile Send private message
schorsch_76
Guru
Guru


Joined: 19 Jun 2012
Posts: 450

PostPosted: Mon Jun 23, 2014 10:59 am    Post subject: Reply with quote

Maybe you can just drop any package which does not fit Target ip, target port and has the destination target net

Rules:

  • Is target net ? -> subchain
  • subchain: NOT target ip -> drop
  • subchain: NOT target port -> drop
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum