Hi All, I want to set a rule to DROP client connections to our VPN server IF they originate from within the company? In other words our road warriors VPN connections which are nailed up, work when on the road, but they default back to the company wifi or wired LAN when in the office, because the drop rule will prevent them the VPN from connecting. Public IP: 203.123.123.123 Our LAN subnet is 10.1.1.0 LAN Gateway is 10.1.1.1 OpenVPN server: 10.1.1.5 (tun adapters are in the VPN subnet 10.8.0.0) And finally because the OpenVPN server is behind the router, and not on it, I am making the openvpn server NAT the client connections to the LAN subnet. (I couldn't use routing). So my question is, what should the rule be? I need to obviously block: protocol UDP port 1194 But if a LAN client behind the GW router (203.123.123.123) tries to connect back to 203.123.123.123 (which port forwards to the OpenVPN server, what will the src of that packet be? Does the router let traffic destined for its own public IP let that traffic leave the WAN interface, or does it realize that its traffic for itself and route internally? In any event for the purposes of my rule do I want to block the public IP address (from itself essentially) when on 1194/udp? Cheers -Al -- "Beat it punk!" - Clint Eastwood -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
