Welcome to Soft32 Linux Forums!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

iptables NAT and VPN

  
   Soft32 Home -> Linux -> Networking RSS
Next:  [git pull] Please pull powerpc.git merge branch  
Author Message
wkevin

External


Since: Jul 01, 2009
Posts: 3



(Msg. 1) Posted: Thu Jul 30, 2009 5:11 am
Post subject: iptables NAT and VPN
Archived from groups: comp>os>linux>networking (more info?)
Hello,
Is it possible to block VPN traffic through a certain machine with
some iptables rule?
rgs,
Kevin
Back to top
Login to vote
wkevin

External


Since: Jul 01, 2009
Posts: 3



(Msg. 2) Posted: Thu Jul 30, 2009 7:14 am
Post subject: Re: iptables NAT and VPN [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Thanks, Klaus.
I want to block VPNs in general on this machine, without prior
knowledge of the port. Is it possible ?
Rgs,
Kevin


On Jul 30, 3:22 pm, Klaus Zerwes <kzer....TakeThisOut@web.de> wrote:
> wkevin wrote:
> > Hello,
> >   Is it possible to block  VPN traffic through a certain machine with
> > some iptables rule?
>
> Simply block the port in question
>
> > rgs,
> > Kevin
>
> Klaus
>
> --
> Klaus Zerweshttp://www.zero-sys.net
Back to top
Login to vote
Klaus Zerwes

External


Since: Jul 07, 2009
Posts: 4



(Msg. 3) Posted: Thu Jul 30, 2009 9:20 am
Post subject: Re: iptables NAT and VPN [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
wkevin wrote:
> Hello,
> Is it possible to block VPN traffic through a certain machine with
> some iptables rule?

Simply block the port in question

> rgs,
> Kevin

Klaus

--
Klaus Zerwes
http://www.zero-sys.net
Back to top
Login to vote
David Schwartz

External


Since: Apr 25, 2007
Posts: 134



(Msg. 4) Posted: Thu Jul 30, 2009 2:47 pm
Post subject: Re: iptables NAT and VPN [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
On Jul 30, 7:14 am, wkevin <wkev... RemoveThis @gmail.com> wrote:

> I want to block VPNs in general on this machine, without prior
> knowledge of the port. Is it possible ?

Yes if you have some way to distinguish VPN traffic from non-VPN
traffic. No if you don't.

One possibility is to block all traffic except the traffic you
specifically choose to allow. Then you can distinguish "VPN traffic"
as "anything not covered by the rules that state what I want to
allow".

Just make sure you don't specifically choose to allow something that
you consider a VPN. (The definition is fluid. For example, if I use
HTTP to exchange IP packets, is that a VPN?)

DS
Back to top
Login to vote
Klaus Zerwes

External


Since: Jul 07, 2009
Posts: 4



(Msg. 5) Posted: Fri Jul 31, 2009 5:20 am
Post subject: Re: iptables NAT and VPN [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
wkevin wrote:
> Thanks, Klaus.
> I want to block VPNs in general on this machine, without prior
> knowledge of the port. Is it possible ?

Not really AFAIK.
And it depends on what you mean by the term VPN.

Regarding IPSec you can try to block the protocols ESP and AH.
Or you may have a look at the policy module for iptables.

Regarding other VPN or tunneling techniques you must search for
corresponding stuff, may et be protocol based, port based or other way.

The other way would be to only allow specific traffic (but even then a
openvpn-server running on port 80 or 443 would be reachable)

Or you should have a look at snort running inline of iptables. Maybe you
can compile your own rules matching at least some VPN techniques.

Klaus

> Rgs,
> Kevin


--
Klaus Zerwes
http://www.zero-sys.net
Back to top
Login to vote
Tauno Voipio

External


Since: Oct 23, 2005
Posts: 36



(Msg. 6) Posted: Tue Aug 04, 2009 3:20 pm
Post subject: Re: iptables NAT and VPN [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
wkevin wrote:
> Hello,
> Is it possible to block VPN traffic through a certain machine with
> some iptables rule?
> rgs,
> Kevin


VPN is a term that is far from unique - there are
myriads of different ways to create a VPN tunnel.

If you have an Internet connection, there may be a VPN
going on on top of the connection, e.g.

- tunneled on seemingly innocent HTTP requests and responses,
- tunneled on DNS requests,
- tunneled on data on ping requests,
- etc (you name it).

For blocking a SSH VPN, close TCP port 22. For an OpenVPN
on default UDP port, block UDP port 1194 (and so on, for
each VPN method and port setup separately).

What are you attempting to achieve and why?

--

Tauno Voipio
tauno voipio (at) iki fi
Back to top
Login to vote
Display posts from previous:   
Related Topics:
WiFi browsing for Windows, but not for Linux? - That seems to be the problem a colleague of mine is currently experiencing in France. Details here: ..

Setting up iwlwifi and wpa supplicant on Fedora 7 - Could someone give me the steps (script) to setup iwlwifi for WPA. I have iwlwifi installed from the Fedora..

VPN OpenSwan&Xl2tp problem with big udp packets - Hi all, I'm having a problem with my vpn server using openswan et xl2tp on a gentoo linux. All the tcp traffic seems....

Hacked, now trying to disinfect - Yeah, i know, it can't happen in Linux. But it has been happening to our work servers for several months. Due to poor....

iptables v1.2.11: can't initialize iptables table `filter'.. - base: RedHat9 kernel: 2.6.13 (i know that newer version are around, shouldn't be relevant here) iptables: 1.2.11..

iptables - Hi NG, this is the problem: PC1 has the following IP address 10.0.0.2 on eth0 PC2 has the following IP address 10.0.0....
       Soft32 Home -> Linux -> Networking All times are: Pacific Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Categories:
 Windows
  Linux
 Mac
 PDA

[ Contact us | Terms of Service/Privacy Policy ]