[eduVPN-deploy] [2020-04-15] Package Updates
François Kooman
fkooman at tuxed.net
Thu Apr 16 17:16:18 CEST 2020
On 4/16/20 4:58 PM, Peter Macfarlane wrote:
> Hi François
Hi Peter!
> Are there any hooks currently to support doing firewall rules
> dynamically per user , or if one wants that kind of thing one should
> build different profiles and then firewall those networks ?
> Our use case is 3rd party users who only need access to specific
> resources , inside our network.
Yes. It makes most sense to add an additional profile for those "3rd
party" users [1].
Once that is done you can either firewall that profile specifically *on*
the VPN server by creating FORWARD rules for the IP range belonging to
the "3rd party" profile, *or* probably better: on the target servers
themselves based on the IP ranges the users are coming from, but this
may require redoing your (internal) firewalls.
If you want to do this on the VPN server and need (more) help with that,
let me know, it would probably be something like this:
# Employees
-A FORWARD -s 10.0.0.0/24 -d 10.0.0.0/24 -i tun+ -o eth0 -j ACCEPT
# 3rd party
-A FORWARD -s 10.0.5.0/24 -d 10.1.1.1/32 -i tun+ -o eth0 -j ACCEPT
-A FORWARD -s 10.0.5.0/24 -d 10.1.1.2/32 -i tun+ -o eth0 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
NOTE: if you only allow traffic to certain destinations via the VPN it
also makes sense to specify those in the "routes" configuration option
for that profile and disable "defaultGateway".
Regards,
François
[1] https://github.com/eduvpn/documentation/blob/v2/MULTI_PROFILE.md
[2] https://github.com/eduvpn/documentation/blob/v2/PROFILE_CONFIG.md
More information about the eduVPN-deploy
mailing list