2

We're running an IKEv2 VPN on a Ubuntu server. One of our users has run a NetScan while using our VPN, which has upset the server provider.

This is what the server provider has recommended:

We would recommend that you set up a local firewall and block outgoing traffic to the following prefixes

https://www.rfc-editor.org/rfc/rfc1918

> 10.0.0.0/8
> 172.16.0.0/12
> 192.168.0.0/16

Please block this range of RFC1918 on your server. We would like to avoid further network abuse from your end.

Is this as simple as

iptables -A FORWARD -d 10.0.0.0/8 -j REJECT
iptables -A FORWARD -d 172.16.0.0/12 -j REJECT
iptables -A FORWARD -d 192.168.0.0/16 -j REJECT

Or am I simplifying this?

Community
  • 1
Houman
  • 1,545
  • 4
  • 22
  • 36

1 Answers1

2

Yes, but that can block your LAN or vpn peer-to-peer communications depending on your setup. I'd rather suggest specifying an outgoing interface which is one connected to your server provider. Like this:

export INET_IFACE=ethX
iptables -A FORWARD -o $INET_IFACE -d 10.0.0.0/8 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 172.16.0.0/12 -j REJECT
iptables -A FORWARD -o $INET_IFACE -d 192.168.0.0/16 -j REJECT

Change ethX to the interface connected to the Internet. Repeat for every such interface.

If you have only one interface which is connected to the Internet only, and don't have any LAN and/or inter-VPN links, then you can do it without -o as you've mentioned.

NStorm
  • 1,312
  • 7
  • 18
  • Do you agree to this? `export INET_IFACE=$(ip route get 8.8.8.8 | awk -- '{printf $5}')` – Houman Oct 14 '19 at 14:37
  • Sadly when I run this, the entire VPN stops working. Hence I still don't know how to block RFC1918 without blocking the entire VPN. – Houman Oct 14 '19 at 18:30
  • @Houman what's your current network setup? Please post your `ip route` and `ip addr` settings. – NStorm Oct 21 '19 at 06:15
  • When adding this to iptables with already existing forward rules you might want to insert it at the top: `iptables -I FORWARD 1 -o $INET_IFACE -d ... -j REJECT` This helped getting it working for our docker networks (to make sure it comes before the docker rules) – bigbear3001 Jan 14 '22 at 09:14
  • Correction for my docker comment: When using docker you should also add the rule to DOCKER-USER: `iptables -I DOCKER-USER -o $INET_IFACE -d ... -j REJECT` – bigbear3001 Jan 14 '22 at 09:31