Home / server / Questions / 432316
In Process
Jarmund
Asked: 2012-09-27 11:32:48 +0800 CST

preventing some local users to access a vpn

  • 772

I have a linux box that connects to a VPN and enables access to 10.121.0.0/16 Personally i use this network a lot, and it would be preferable to have vpnc up and running all the time.

However, on my box there are users that should not be allowed to access this VPN, so is there a way to prevent some users from accessing a certain network?

Edit: To clarify, the users are local users shelled into the linux box for various purposes (editing their website, chatting away on IRC, etc etc). The VPN connection is initiated by me from the linux box for some stuff that i need to access. My box is not acting as a router.

linux

1 Answers

  1. The linux box uses vpnc to connect to 10.121.0.0/16, are the users logging into the linux box or using it as a router?

    If it's acting as a router, use iptables to only accept traffic for that segment from your IP. Assuming eth0 is inside the network, eth1 goes to other networks that everyone gets to (internet), and tun0 is the vpnc interface, the following would masquerade your traffic from your ip (in this case 10.1.1.199) to tun0:

    iptables -t nat -A POSTROUTING -S 10.1.1.199 -o tun0 -j MASQUERADE

    You can also accept packets from your IP and drop from everyone else:

    iptables -A INPUT -s 10.1.1.199 -d 10.121.0.0/16 -j ACCEPT
iptables -A INPUT -d 10.121.0.0/16 -j DROP
    • 0