I have PPTP server that is installed within Ubuntu VM. Ubuntu host is configured to pass-thought VPN traffic to this VM from external clients to internal server resources. Now I need to block access for these VPN clients to specific external IP addresses or ports. How could I do this?
I tried to drop all output traffic on the host with rules like:
iptables -I OUTPUT -p udp --dport 9999 -j DROP
But it does not work for VPN clients. Adding this rule to VM with PPTP does not work either. How could I block such connections?
The current iptables on the host:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT tcp -- anywhere anywhere ctstate RELATED,ESTABLISHED tcp dpt:1723
ACCEPT gre -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT udp -- anywhere anywhere udp 9999 reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere vpn state NEW tcp dpt:1723
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
ACCEPT all -- 192.168.122.0/24 anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED tcp dpt:1723
ACCEPT gre -- anywhere anywhere ctstate NEW,RELATED,ESTABLISHED
REJECT udp -- anywhere anywhere udp 9999 reject-with icmp-port-unreachable
Whats your
iptables -Loutput? Is your rule above ACCEPT all? Do you save youriptables?