Block web sites for VPN clients

F

Faruk Kahraman

Guest
Block web sites for VPN clients
I installed IPSEC L2TP VPN Server on Ubuntu 12 x86 vps machine. I want to block some web sites for clients connected to VPN Server. So, changed hosts file in Ubuntu to block accessing unwanted web sites like that:
Code: 
0.0.0.0 unwanted site com
etc.
When I try to connect unwanted web sites from terminal in Ubuntu with
Code: 
wget unwanted site com
it says:
Code: 
Resolving unwanted site com (unwanted site com)... 0.0.0.0 Connecting to unwanted site com (unwanted site com)|0.0.0.0|:80... failed: Connection refused.
So I think hosts file function works well. But when I want to open these web sites from connected VPN Clients, it doesn't work. I can still access all web sites from client.

How is it possible that while VPN Server cannot access a site, VPN Client can? And what must I do to block these sites from also VPN Clients?

IPTables.rules
Code: 
 filter
  :INPUT ACCEPT [0:0]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :ICMPALL - [0:0]
  -A INPUT -m conntrack --ctstate INVALID -j DROP
  -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A INPUT -i lo -j ACCEPT
  -A INPUT -p icmp --icmp-type 255 -j ICMPALL
  -A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
  -A INPUT -p tcp --dport 22 -j ACCEPT
  -A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT
  -A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
  -A INPUT -p udp --dport 1701 -j DROP
  -A INPUT -j DROP
  -A FORWARD -m conntrack --ctstate INVALID -j DROP
  -A FORWARD -i eth+ -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
  -A FORWARD -i ppp+ -o eth+ -j ACCEPT
  -A FORWARD -j DROP
  -A ICMPALL -p icmp -f -j DROP 
  -A ICMPALL -p icmp --icmp-type 0 -j ACCEPT
  -A ICMPALL -p icmp --icmp-type 3 -j ACCEPT
  -A ICMPALL -p icmp --icmp-type 4 -j ACCEPT
  -A ICMPALL -p icmp --icmp-type 8 -j ACCEPT
  - A ICMPALL -p icmp --icmp-type 11 -j ACCEPT
  -A ICMPALL -p icmp -j DROP
  COMMIT
  *nat
  :PREROUTING ACCEPT [0:0]
  :INPUT ACCEPT [0:0]
  :OUTPUT ACCEPT [0:0]
  :POSTROUTING ACCEPT [0:0]
  -A POSTROUTING -s 192.168.42.0/24 -o eth+ -j SNAT --to-source 23.x.x.203
  COMMIT
 


I think the using of iptables is not suitable for you.
Try to block sites using the following schema:
1. install Dnsmasq and configure it to processing blocked sites (it must reply to requests and return a private IP address for specified sites)
2. assign the IP of your Dnsmasq server as primary DNS for your VPN clients
 
You must log in or register to reply here.

Members online

Total: 965 (members: 3, guests: 962)

Latest posts

Top