iptables - grant access to a specific IP only to one user

[jjimenez]

Hi!

I'm new here, I just installed Asuswrt-merlin on my RT-AX58U. I've configured OpenVPN and everything is working fine, I created multiple users and assigned static IPs using this guide. Now, I would like to configure some rules using iptables to achieve this:

- Only two users can access the entire LAN while connected to the VPN.
- Another user, can only access a specific IP while connected, not the entire LAN.

The users I want to grant access to the whole LAN have the IPs 10.8.0.10 and 10.8.0.11, and the other user has the IP 10.8.0.50.

So, I started granting access to only 10 and 11, and dropping everything else with these rules:

iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.0.0.0/8 -d 192.168.0.0/16 -j DROP
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.10 -d 192.168.0.0/16 -j ACCEPT
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.11 -d 192.168.0.0/16 -j ACCEPT

This works, 10 and 11 can access the entire network, and 50 does not have access.

Now, I want to add a rule that allows 50 to access a specific machine in the lan, so I added a new rule:

iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.0.0.0/8 -d 192.168.0.0/16 -j DROP
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.10 -d 192.168.0.0/16 -j ACCEPT
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.11 -d 192.168.0.0/16 -j ACCEPT
iptables --insert FORWARD --in-interface tun21 --out-interface br0 -s 10.8.0.50 -d 192.168.55.26 -j ACCEPT

However, with these rules, everyone can access the entire LAN, including 50.

What am I doing wrong? Is this doable or am I misunderstanding iptables at all?

Thanks in advance!!

 

[eibgrad]

Based on what you posted, it should have worked.

Just guessing, but given the change allowed ALL access, that suggests you made some other kind of error (syntax, permissions, etc.) that caused the script to not execute, AT ALL. So the rules are not actually there in the table. Like any such script, you should verify the rules got added w/ the following command.

iptables -vnL FORWARD

 

[degrub]

doesn't the rule table get evaluated in a specific order - reverse or forward ?

 

[eibgrad]

P.S. I took a closer look at those instructions in the link you provided, and found an issue (until now, I just assumed it was correct).

I don't understand why the instructions tell you to create your per-client files (based on the CN (Common Name)) of the client certs in /jffs/configs/openvpn/ccd1 if those same instructions don't also tell you to create the CCD directory by adding the following to the custom config field.

client-config-dir /jffs/configs/openvpn/ccd1

Instead, it tells you to enable Manage Client-Specific Options for some reason, which is intended primarily for the purposes of site-to-site configurations. It too will create a CCD directory, but it will be created on-the-fly in /tmp, specifically /tmp/etc/openvpn/server1/ccd. That doesn't make it very useful for any other purposes, such as what your trying to do here. So I don't under why it makes reference to Manage Client-Specific Options.

In short, unless I'm just missing something about those instructions, I don't see the need for Manage Client-Specific Options being enabled. And I don't see how this is going to work if you don't point the OpenVPN server config to the proper directory. IOW, maybe this was never working correctly at all.

 

[eibgrad]

doesn't the rule table get evaluated in a specific order - reverse or forward ?

Because the rules are insertions, each successive rule gets inserted above the previous rule. And the rules are evaluated top down. So it is correct. You want the DROP evaluated last, after all ACCEPTions have been considered.