iptables - allowing access to only a single port on different subnet
I've got a OpenVPN server up and running, currently allowing to route all traffic between the VPN (10.8.0.0/24) and the LAN (192.168.2.0/24) network. My iptables look as follows:
iptables -t filter -F
iptables -t nat -F
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i tun0 -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -s '10.8.0.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.2.26
iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o tun0 -j SNAT --to-source 10.8.0.1
192.168.2.26 & 10.8.0.1 are the interfaces on the VPN-Server.
I am now looking to narrow it quite a bit down and allow only specific target for specific users. One example:
I want the user with the IP 10.8.0.10 to only have access to 192.168.2.100 on port 8080, and nothing else in the LAN subnet. After tons of googling I tried some wild combinations of SNAT and DNAT, but didn't find the solution.
How can I implement the above scenario?
So I've found a solution for my problem, should anyone be in need and stumble upon this:
I ditched iptables and went for ufw.
/etc/sysctl.conf:
net.ipv4.ip_forward=1
/etc/default/ufw:
DEFAULT_FORWARD_POLICY="DROP"
/etc/ufw/before.rules:
# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic between OpenVPN and LAN
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 192.168.2.0 -o tun0 -j MASQUERADE
COMMIT
# END OPENVPN RULES
This way everything is setup for routing and forwarding, without forwarding anything as of yet due to the default "drop" policy.
To route the single IP to a Port on another IP of a different subnet as described in the question, I simply needed to run the following ruleset:
sudo ufw route allow in on tun0 out on eth0 to 192.168.2.100 proto tcp port 8080 from 10.8.0.10