Dear all,
my setup: vps wit vpn running (external hosted)
client: from various networks like home, work, etc
i already searcht google.com for the answer but could not find anything close to what i need.
I want my clients to connect to the VPN on port 443 (this function works already).
now i want to filter the ports that they can use true the VPN.
i want to block all the ports except ports like 80, 443, 22, 21.
can someone help me plz?
I filtered ports with TCP and used to make 1 line to block all acces with IP4/IP6 resulting in all the ports being blocked. Please give me some advice.
VPN filtering ports
-
10nico
- Posts: 5
- Joined: Fri May 09, 2014 10:01 am
Re: VPN filtering ports
Hello DustP , your problem looks a lot like mine.
It seems the "default deny rule" added to the bottom (as done in every firewall in the world) to explicitly deny everything that is not explicitly allowed, does not work as expected.
In fact it blocks everything, even what has been allowed in the rules above , with higher priority.
I'm starting to thing that this is a bug.
However I'll try to update my vpn server with all the available updates, as suggested in the official documents.
Good luck!
Michele
It seems the "default deny rule" added to the bottom (as done in every firewall in the world) to explicitly deny everything that is not explicitly allowed, does not work as expected.
In fact it blocks everything, even what has been allowed in the rules above , with higher priority.
I'm starting to thing that this is a bug.
However I'll try to update my vpn server with all the available updates, as suggested in the official documents.
Good luck!
Michele
-
DustP
- Posts: 2
- Joined: Sun May 11, 2014 6:17 pm
Re: VPN filtering ports
Hello Michelle,
thx for the reply.
It sure looks like a bug, noting that i run the latest vpn server.
Could you provide me with feedback if your systems works fine?
I will do the same if i can make my system work properly.
thx for the reply.
It sure looks like a bug, noting that i run the latest vpn server.
Could you provide me with feedback if your systems works fine?
I will do the same if i can make my system work properly.
-
qupfer
- Posts: 202
- Joined: Wed Jul 10, 2013 2:07 pm
Re: VPN filtering ports
DustP wrote:
> i want to block all the ports except ports like 80, 443, 22, 21.
I would recommend that you also add the following ports:
UDP 53 (DNS)
UDP 67 (DHCP)
and you can leave port 21 because it will probably not work.
Because 21 is just the port for the controll-session. The data transfer is etablished on other (random) high ports.
And with the help of dnobori (http://07q.de/dnobori) I got it, and the access list works as supposed. We all have forgotten, that we have bi-directional connections. So you need two entries for every port.
http://07q.de/access
Or a litte bit more elegant for tcp connections:
http://07q.de/access2
It allows all "etablished" connection on every port.
So you can add TCP-Ports with one entry.
Or maybe even better, because you also need for udp/icmp just one entry:
http://07q.de/access3
Of course, you need the first entry for every user or combine them in a group.
> i want to block all the ports except ports like 80, 443, 22, 21.
I would recommend that you also add the following ports:
UDP 53 (DNS)
UDP 67 (DHCP)
and you can leave port 21 because it will probably not work.
Because 21 is just the port for the controll-session. The data transfer is etablished on other (random) high ports.
And with the help of dnobori (http://07q.de/dnobori) I got it, and the access list works as supposed. We all have forgotten, that we have bi-directional connections. So you need two entries for every port.
http://07q.de/access
Or a litte bit more elegant for tcp connections:
http://07q.de/access2
It allows all "etablished" connection on every port.
So you can add TCP-Ports with one entry.
Or maybe even better, because you also need for udp/icmp just one entry:
http://07q.de/access3
Of course, you need the first entry for every user or combine them in a group.
Last edited by qupfer on Tue May 13, 2014 9:05 am, edited 2 times in total.
-
10nico
- Posts: 5
- Joined: Fri May 09, 2014 10:01 am
Re: VPN filtering ports
Hello again, I have finished updating all my CentOS to the latest version of all of its packages (kernel included) and just tried it again but no change at all.
I just seems that it ignores all the TCP/UDP rules; however the ICMP rules work ok...
Smells like bug to me ;-)
Let's see if someone else fixes something in the upstream code (I'm not able to do that).
Kind regards,
Michele
I just seems that it ignores all the TCP/UDP rules; however the ICMP rules work ok...
Smells like bug to me ;-)
Let's see if someone else fixes something in the upstream code (I'm not able to do that).
Kind regards,
Michele
-
10nico
- Posts: 5
- Joined: Fri May 09, 2014 10:01 am
Re: VPN filtering ports
Thank you for your suggestion qupfer!
It seems you're right in your assumption, I have tried to add the "TCP established allow" rule to my setup and now it works as expected.
Thank you very much indeed! :-)
Kind regards,
Michele
It seems you're right in your assumption, I have tried to add the "TCP established allow" rule to my setup and now it works as expected.
Thank you very much indeed! :-)
Kind regards,
Michele