how to limit SE clients to just web browsing (port: 53,80,443)

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

how to limit SE clients to just web browsing (port: 53,80,443)

Post by shakibamoshiri » Thu Jan 12, 2023 12:48 pm

How can we limit clients users to only have access to web browsing.
I am looking for both
1. System Wide rule (iptables)
2. SE server rule (Access List)

I came up with this Access List

Image

And this iptables rules
filter

Code: Select all

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.11.12.0/24 -p icmp -j DROP
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -s 10.11.12.0/24 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -p icmp -j DROP
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p tcp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -s 10.11.12.0/24 -d 10.11.12.0/24 -p udp -m multiport --dports 67,68 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 80 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -d 10.11.12.0/24 -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -d 224.0.0.0/4 -j DROP
-A OUTPUT -d 100.64.0.0/10 -j DROP
-A OUTPUT -d 169.254.0.0/16 -j DROP
-A OUTPUT -d 192.168.0.0/16 -j DROP
-A OUTPUT -d 172.16.0.0/12 -j DROP
-A OUTPUT -d 10.0.0.0/8 -j DROP
nat

Code: Select all

*nat
:PREROUTING ACCEPT [224331:13342409]
:INPUT ACCEPT [223127:13116327]
:OUTPUT ACCEPT [590884:40808004]
:POSTROUTING ACCEPT [590742:40765620]
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -m comment --comment se-server -j MASQUERADE
Please guide me if it has any incorrect settings.
Also which one is preferred in terms of performance.
Regards

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to limit SE clients to just web browsing (port: 53,80,443)

Post by solo » Fri Jan 13, 2023 3:57 am

Nah, mostly wrong. Try this:
  • apply VPN Gate rules as they are but change the sample 10.211.x.x subnet of course
  • iptables -t nat -A POSTROUTING -s 10.211.0.0/16 -p tcp -m multiport --dports 53,80,443 -o eth0 -j MASQUERADE
  • iptables -t nat -A POSTROUTING -s 10.211.0.0/16 -p udp --dport 53 -o eth0 -j MASQUERADE
Shorter :-)

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: how to limit SE clients to just web browsing (port: 53,80,443)

Post by shakibamoshiri » Fri Jan 13, 2023 8:49 pm

solo wrote:
Fri Jan 13, 2023 3:57 am
Nah, mostly wrong. Try this:
  • apply VPN Gate rules as they are but change the sample 10.211.x.x subnet of course
  • iptables -t nat -A POSTROUTING -s 10.211.0.0/16 -p tcp -m multiport --dports 53,80,443 -o eth0 -j MASQUERADE
  • iptables -t nat -A POSTROUTING -s 10.211.0.0/16 -p udp --dport 53 -o eth0 -j MASQUERADE
Shorter :-)
Yes much shorter, why I did not think about this :|

What added

Code: Select all

*nat
:PREROUTING ACCEPT [353102:20917035]
:INPUT ACCEPT [350503:20556854]
:OUTPUT ACCEPT [1056236:72921997]
:POSTROUTING ACCEPT [1056095:72879673]
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -p tcp -m multiport --dports 53,67,68,80,443 -j MASQUERADE
-A POSTROUTING -s 10.11.12.0/24 -o eth0 -p udp -m multiport --dports 53,67,68,80,443 -j MASQUERADE
with Access List it was tested, perfect, no problem.

How about System Wide with iptables?
Is this wrong for example?

Code: Select all

#!/bin/bash

set -eu

iptables -${1} OUTPUT -d 224.0.0.0/4 -j DROP
iptables -${1} OUTPUT -d 100.64.0.0/10 -j DROP
iptables -${1} OUTPUT -d 169.254.0.0/16 -j DROP
iptables -${1} OUTPUT -d 192.168.0.0/16 -j DROP
iptables -${1} OUTPUT -d 172.16.0.0/12 -j DROP
iptables -${1} OUTPUT -d 10.0.0.0/8 -j DROP

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: how to limit SE clients to just web browsing (port: 53,80,443)

Post by solo » Fri Jan 13, 2023 11:32 pm

Without going into details, both system-wide and already made "postrouting" changes are unnecessary, redundant and inefficient. I really hope that you had not altered the VPN Gate rules as they are essential for security.

shakibamoshiri
Posts: 285
Joined: Wed Dec 28, 2022 9:10 pm

Re: how to limit SE clients to just web browsing (port: 53,80,443)

Post by shakibamoshiri » Sat Jan 14, 2023 6:12 am

solo wrote:
Fri Jan 13, 2023 11:32 pm
Without going into details, both system-wide and already made "postrouting" changes are unnecessary, redundant and inefficient. I really hope that you had not altered the VPN Gate rules as they are essential for security.
I already tested VPN Gate rules, there is no problem with thees. why altering them.
Actually I do not prefer mine over VPN gate, but I prefer System Wide over Access List.

First reason is on a server we might have
- SE server
- OC server
- WG server
- SSH port forwarding
- even SSH login by other developers
So SE server Access list is not enough in this regard.

Second reason is I can create scripts (Bash) and easily use them else where using e.g Ansible or other tools.
My purpose is not circumventing VPN Gate rules, but finding the equivalent of the rules and applying them System Wide.

Post Reply