On Wed, 31 Aug 2022 21:32:28 +0200, Bo Berglund <bo.bergl...@gmail.com> wrote:
>To simplify things for this single case I belive I can use a client specific >ccd >entry to give him a specific IP on connect, then using iptables I should be >able >to drop all packets towards the server side LAN, right? > >This is what I have done: >I Added a ccd entry as follows (DHCP range for non-ccd clients ends at 127): > ifconfig-push 10.8.1.137 255.255.255.0 > >Now I need to add an IPTABLES rule for the IP address such that it will drop >connection attempts from the source address 10.8.1.137 to destination network >192.168.119.0/24... >But I am pretty bad at formulating these rules so would appreciate it if >someone >here may chip in with the correct syntax: > >Suggestion: > >iptables -I FORWARD 1 -s 10.8.1.130 -d 192.168.119.0/24 -j DROP > >Is this like it should be or do I have to change it? UPDATE-RESOLVED: ---------------- This iptables rule did the trick: iptables -A FORWARD -s 10.8.0.136/29 -d 192.168.119.0/24 -j DROP What it does is that it blocks local LAN access for all clients using an IP in range 10.8.0.136 .. 10.8.0.151, in total 16 addresses. So by using ccd on clients that are not supposed to access the LAN and give them an IP in that range blocks them from the LAN while still accessing the web. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
