OpenVPN - iptables restrict one IP's access to only some servers

Question

I have a large OpenVPN network. Most of the addresses have free access to one another. However a few IPs need to be restricted to only a couple of other IPs.

For example 10.8.0.6 can only be allowed to communicate with 10.8.0.10.. But 10.8.0.10 and all the other addresses in the subnet can communicate with each other without restriction. Will the following iptables code accomplish this?

# allow communication between 10.8.0.6 and 10.8.0.10, deny any additional 
# access to 10.8.0.6
iptables -A FORWARD -s 10.180.0.6 -d 10.8.0.10 -j ACCEPT
iptables -A FORWARD -s 10.180.0.10 -d 10.8.0.6 -j ACCEPT
iptables -A FORWARD -s 10.180.0.6 -j DROP


# Begin required lines for server operation
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/16 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

/etc/init.d/dnsmasq restart
# End required lines for server operation

Thanks

---

You are correct, it should've been 10.8.x.x. BUT, it's still not working. The addresses I'm trying to restrict still have access to all the servers. Here's my current rc.local

# Begin access restriction lines
# eg. allow communication between 10.8.0.122 and 10.8.0.58, deny any additional$
# client access only to certain systems
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.58 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.66 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.70 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -d 10.8.0.62 -j ACCEPT
iptables -A FORWARD -s 10.8.0.122 -j DROP
# client access only to certain systems
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.58 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.66 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.70 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -d 10.8.0.62 -j ACCEPT
iptables -A FORWARD -s 10.8.0.126 -j DROP
# End access restriction lines

# Begin required lines for server operation
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/16 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s 10.8.0.0/16 -o eth0 -j MASQUERADE

/etc/init.d/dnsmasq restart
# End required lines for server operation

exit 0

Thanks

UPDATE:

output of iptables -L -v -n

root@li590-32:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 2455K packets, 430M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
4597K 2770M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
32180 1813K ACCEPT     all  --  *      *       10.8.0.0/16          0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.8.0.0/16          0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.8.0.0/16          0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable
    0     0 ACCEPT     all  --  *      *       10.8.0.122           10.8.0.58
    0     0 ACCEPT     all  --  *      *       10.8.0.122           10.8.0.66
    0     0 ACCEPT     all  --  *      *       10.8.0.122           10.8.0.70
    0     0 ACCEPT     all  --  *      *       10.8.0.122           10.8.0.62
    0     0 DROP       all  --  *      *       10.8.0.122           0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       10.8.0.126           10.8.0.58
    0     0 ACCEPT     all  --  *      *       10.8.0.126           10.8.0.66
    0     0 ACCEPT     all  --  *      *       10.8.0.126           10.8.0.70
    0     0 ACCEPT     all  --  *      *       10.8.0.126           10.8.0.62
    0     0 DROP       all  --  *      *       10.8.0.126           0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       10.8.0.0/16          0.0.0.0/0
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 3144K packets, 2737M bytes)
 pkts bytes target     prot opt in     out     source               destination

Answer 1

The first three lines refer to 10.180.x.x when I think you meant 10.8.x.x ?

If so, the line iptables -A FORWARD -s 10.180.0.10 -d 10.8.0.6 -j ACCEPT is unnecessary.

Otherwise looks good.

Answer 2

iptables works on a first-dispositive-match wins basis, so the full ruleset you posted makes the problem clear: none of the restrictions you've put after the first two lines are ever seeing any traffic, because the first and second rules are matching - and permitting - all the traffic you try to match and deny later on.

Either you will need to find out where those first two lines are being set, and ensure that all your additional lines are moved before them, or you'll need to insert all your new lines before the first two by using iptables -I FORWARD 1 in your script above, to continuously insert each new line at the beginning of the FORWARD chain instead of adding it to the end.

The former method is preferred, as it's easier to maintain; but you don't say what distro you're working on, so I can't say where the rules are being set.

Either way, you need to make sure that in the final chain, the highly-specific DROP rules come before any less-specific ACCEPT rules that would match (and therefore permit) the same traffic.