I'm looking at a multi-site deployment where each of the remote locations has an IPSec VPN back into the data centre. I'm trying to find an easy way for support staff to provide access to the remote locations, yet do so securely.
Broadly speaking: staff from group A should only have access to group A's equipment, and staff from group B should only have access to group B's equipment. It's possible for both groups to have their equipment in a single location (think group A manages servers, group B manages IP CCTV systems). Each group has their own dedicated subnet that they will be connecting from, e.g. Group A might have 10.0.0.0/24 and Group B 10.0.1.0/24.
Creating explicit rules for hundreds of machines feels overly tedious. There's got to be a better way than listing each individual machine a user can connect into. My thought was this: Within each location, dedicate a portion of it to a given group. So 10.x.x.1-15 could be Group A's equipment, and 10.x.x.x.16-31 could be Group B's, etc...
Now the iptables question part: Is it possible to have just 2 rules on the data centre side to match this, irrespective of the number of remote locations? One that matches e.g. 10.x.x.1-15 and one that matches 16-31?
If not, is there another approach that I should be looking into?
Edit: I suppose I could use ipsets, which will reduce the number of rules even though I still have the overhead of managing the sets.
then you would want
iptables perfectly allows for bitmasks with "holes".
It seems like you are missing the obvious: