0

I have a server running PPTP that is supposed to run an httpd (nginx) accessible only through the VPN. I'm also running a few other httpds too, which are not supposed to work on the VPN.

routing table

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         x.x.x.x         0.0.0.0         UG    0      0        0 bond0
x.x.x.x         x.x.x.x         255.255.255.255 UGH   0      0        0 bond0
x.x.x.x         0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
x.x.x.x         0.0.0.0         255.255.255.248 U     0      0        0 bond0
x.x.x.x         0.0.0.0         255.255.0.0     U     1008   0        0 bond0

when I ping mydomain.com (that should work with VPN)

ping mydomain.com
PING mydomain.com (x.x.x.x) 56(84) bytes of data.
^C
--- mydomain.com ping statistics ---
32 packets transmitted, 0 received, 100% packet loss, time 31248ms

but I can see the packets in tcpdump -vv -i ppp0

15:21:09.543764 IP (tos 0x0, ttl 52, id 37313, offset 0, flags [DF], proto ICMP (1), length 84)
    cable-x.x.x.x.dynamic.provider.com > anon-60-160.vpn.ipredator.se: ICMP echo request, id 4652, seq 8, length 64
Orlo
  • 231
  • 1
  • 3
  • 11

2 Answers2

3

You could probably configure that particular nginx instance to only listen on the PPTP interface.

The documentation for the http_core module specifies a listen directive to allow nginx to only listen on a certain address and/or port.

listen <IP of VPN>:<port> on the instance of nginx that should work on the vpn should be ok

Lawrence
  • 380
  • 2
  • 10
  • vpn ip is always changing it's not static. but the problem is I can't even ping to the vpn ip from the internet that's why I think I should change the nat first, before I start with nginx. – Orlo Dec 10 '13 at 12:59
  • You can use hostnames too for the listen directive. Also some providers will block pings from reaching their endpoints, so pings aren't an effective diagnostic tool anymore :( – Lawrence Dec 10 '13 at 13:00
  • so I can set `listen ppp0:`? – Orlo Dec 10 '13 at 13:04
  • Not quite. You could do `listen www.yoursite.com:80`. Hostnames and IP addresses, not interfaces for nginx. – Lawrence Dec 10 '13 at 13:04
  • Tried `listen mydomain.com:80` but it's not workings. though I can see the requests from `tcpdump -vv -i ppp0` which is a good sign – Orlo Dec 10 '13 at 13:19
  • Can you paste the output of `lsof -i | grep http` ? – Lawrence Dec 10 '13 at 13:34
  • no it's a production server. – Orlo Dec 10 '13 at 13:58
  • Ok then, can you verify that nginx is listening on the right port with lsof ? – Lawrence Dec 10 '13 at 14:00
  • at the beginning `nginx 26178 root 50u IPv4 87709753 0t0 TCP *:http (LISTEN) ` and than many `nginx 26181 apache 256u IPv4 92480971 0t0 TCP x.x.x.x.colo.static.dc.domain.com:http->x.x.x.x.megaline.domain.com:20863 (ESTABLISHED) ` – Orlo Dec 10 '13 at 14:10
1

The simplest way to do It -- run the server on dedicated port and reject requests from interfaces other then ppp for this port:

iptables -A INPUT -i ! ppp+ -p tcp --dport <protected-port> -j REJECT

The main drawback of the above approach - your server may still become accidentally open.

If you are looking for stable and reliable solution for protected special-purpose server staff then I recommend the following way:

Choose any free dedicated private address, say 10.255.255.1.

Setup internal virtual tap interface using this address.

# cat > ifcfg-tap0
DEVICE=tap0
TYPE=Tap
IPADDR=10.255.255.1
NETMASK=255.255.255.255
ONBOOT=yes

Optionally disable proxy-arp in /etc/sysctl.conf if not needed:

net.ipv4.conf.default.proxy_arp=0

Choose dedicated port to run your http server on, say 8888.

Bind your server to dedicated ip/port:

listen 10.255.255.1:8888

Restrict access to 10.255.255.1 (locally or from VPN only):

-I INPUT -p ip -s 10.255.255.1 -j ACCEPT
-I INPUT -i ! ppp+ -p ip -d  10.255.255.1 -j REJECT

The major work has been done. All applications bound exclusively to 10.255.255.1 are accessible only internally or using VPN.

But now you need to care about routing to 10.255.255.1 on client side. You can avoid It and make your http server accessible trough VPN with any IP address you are generally using to access the host:

iptables -t nat -A PREROUTING -i ppp+ -p tcp --dport 8888 -d <normal_server_address> -j DNAT --to 10.255.255.1:8888
Veniamin
  • 863
  • 6
  • 11