-4

I have PPTP server that is installed within Ubuntu VM. Ubuntu host is configured to pass-thought VPN traffic to this VM from external clients to internal server resources. Now I need to block access for these VPN clients to specific external IP addresses or ports. How could I do this?

I tried to drop all output traffic on the host with rules like:

iptables -I OUTPUT -p udp --dport 9999 -j DROP

But it does not work for VPN clients. Adding this rule to VM with PPTP does not work either. How could I block such connections?

The current iptables on the host:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:bootps
ACCEPT     tcp  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
REJECT     udp  --  anywhere             anywhere             udp 9999 reject-with icmp-port-unreachable
ACCEPT     tcp  --  anywhere             vpn                  state NEW tcp dpt:1723
ACCEPT     all  --  anywhere             192.168.122.0/24     ctstate RELATED,ESTABLISHED
ACCEPT     all  --  192.168.122.0/24     anywhere
ACCEPT     all  --  anywhere             anywhere
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED tcp dpt:1723
ACCEPT     gre  --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED
REJECT     udp  --  anywhere             anywhere             udp 9999 reject-with icmp-port-unreachable
Andrey
  • 722
  • 2
  • 8
  • 17

1 Answers1

0

Whats your iptables -L output? Is your rule above ACCEPT all? Do you save your iptables?

lojza
  • 1,823
  • 2
  • 13
  • 23
  • I added `iptables -L` output to the question – Andrey Jul 22 '18 at 16:36
  • You rule is below ACCEPT all, so it never match. Try `iptables -I OUTPUT 1 -p udp --dport 9999 -j DROP` Note the `1` – lojza Jul 23 '18 at 09:41
  • My understanding that there is no accept all rule for OUTPUT chain. For FORWARD chain my rule is first on the list. Or do I understand it incorrectly? – Andrey Jul 23 '18 at 10:03