Firewalling a 16 OpenVPN network into 24 subnets » History » Version 1
Charles Atkinson, 01/04/2021 13:05
| 1 | 1 | Charles Atkinson | h1. Firewalling a /16 OpenVPN network into /24 "subnets" |
|---|---|---|---|
| 2 | 1 | Charles Atkinson | |
| 3 | 1 | Charles Atkinson | {{toc}} |
| 4 | 1 | Charles Atkinson | |
| 5 | 1 | Charles Atkinson | h1. Introduction |
| 6 | 1 | Charles Atkinson | |
| 7 | 1 | Charles Atkinson | This page describes how nftables was used to control client-to-client connections between clients at 172.16.x.0 addresses where x was unique for each organisation. |
| 8 | 1 | Charles Atkinson | |
| 9 | 1 | Charles Atkinson | * All clients were allowed to ping the OpenVPN server for diagnostics |
| 10 | 1 | Charles Atkinson | * Support staff's computers were allowed to connect to their own organisation's computers and the computers of organisations they support |
| 11 | 1 | Charles Atkinson | * All clients in an organisation were allowed to connect to other clients in the same organisation |
| 12 | 1 | Charles Atkinson | |
| 13 | 1 | Charles Atkinson | h2. Related documents |
| 14 | 1 | Charles Atkinson | |
| 15 | 1 | Charles Atkinson | * https://openvpn.net/community-resources/configuring-client-specific-rules-and-access-policies/ |
| 16 | 1 | Charles Atkinson | * https://backreference.org/2010/05/02/controlling-client-to-client-connections-in-openvpn/ |
| 17 | 1 | Charles Atkinson | |
| 18 | 1 | Charles Atkinson | h1. The solution |
| 19 | 1 | Charles Atkinson | |
| 20 | 1 | Charles Atkinson | Illustrative excepts from /etc/nftables.conf |
| 21 | 1 | Charles Atkinson | <pre> |
| 22 | 1 | Charles Atkinson | #!/usr/sbin/nft -f |
| 23 | 1 | Charles Atkinson | |
| 24 | 1 | Charles Atkinson | flush ruleset |
| 25 | 1 | Charles Atkinson | |
| 26 | 1 | Charles Atkinson | table inet filter { |
| 27 | 1 | Charles Atkinson | |
| 28 | 1 | Charles Atkinson | set aurinoco_support { |
| 29 | 1 | Charles Atkinson | type ipv4_addr |
| 30 | 1 | Charles Atkinson | elements = { |
| 31 | 1 | Charles Atkinson | 172.16.0.5, |
| 32 | 1 | Charles Atkinson | ... |
| 33 | 1 | Charles Atkinson | } |
| 34 | 1 | Charles Atkinson | } |
| 35 | 1 | Charles Atkinson | ... |
| 36 | 1 | Charles Atkinson | set blue.av { |
| 37 | 1 | Charles Atkinson | type ipv4_addr |
| 38 | 1 | Charles Atkinson | elements = { |
| 39 | 1 | Charles Atkinson | 172.16.3.1, |
| 40 | 1 | Charles Atkinson | ... |
| 41 | 1 | Charles Atkinson | } |
| 42 | 1 | Charles Atkinson | } |
| 43 | 1 | Charles Atkinson | ... |
| 44 | 1 | Charles Atkinson | chain input { |
| 45 | 1 | Charles Atkinson | type filter hook input priority 0; |
| 46 | 1 | Charles Atkinson | |
| 47 | 1 | Charles Atkinson | # Drop ICMP echo-request (ping) when greater than one per second |
| 48 | 1 | Charles Atkinson | ip protocol icmp icmp type echo-request limit rate 1/second accept |
| 49 | 1 | Charles Atkinson | ip protocol icmp icmp type echo-request counter drop |
| 50 | 1 | Charles Atkinson | |
| 51 | 1 | Charles Atkinson | # Allow all OpenVPN clients to ping the OpenVPN server (for diagnostics) |
| 52 | 1 | Charles Atkinson | ip saddr 172.16.0.0/16 ip daddr 172.16.0.1 icmp type echo-reply accept |
| 53 | 1 | Charles Atkinson | ip saddr 172.16.0.0/16 ip daddr 172.16.0.1 drop |
| 54 | 1 | Charles Atkinson | } |
| 55 | 1 | Charles Atkinson | chain forward { |
| 56 | 1 | Charles Atkinson | # Drop all packets unless a rule below does differently |
| 57 | 1 | Charles Atkinson | type filter hook forward priority 0; policy drop |
| 58 | 1 | Charles Atkinson | |
| 59 | 1 | Charles Atkinson | # Allow traffic from established and related packets |
| 60 | 1 | Charles Atkinson | ct state established,related accept |
| 61 | 1 | Charles Atkinson | |
| 62 | 1 | Charles Atkinson | # Drop invalid packets |
| 63 | 1 | Charles Atkinson | ct state invalid drop |
| 64 | 1 | Charles Atkinson | |
| 65 | 1 | Charles Atkinson | # Allow loopback traffic |
| 66 | 1 | Charles Atkinson | iifname lo accept |
| 67 | 1 | Charles Atkinson | |
| 68 | 1 | Charles Atkinson | # Allow support computers to connect to the clients their users support |
| 69 | 1 | Charles Atkinson | ... |
| 70 | 1 | Charles Atkinson | ip saddr @aurinoco_support ip daddr @blue.av accept |
| 71 | 1 | Charles Atkinson | ... |
| 72 | 1 | Charles Atkinson | # Allow each organisation's computers to connect to others in the same organisation |
| 73 | 1 | Charles Atkinson | ... |
| 74 | 1 | Charles Atkinson | ip saddr @blue.av ip daddr @blue.av accept |
| 75 | 1 | Charles Atkinson | ... |
| 76 | 1 | Charles Atkinson | </pre> |