Web access only by vpn - helpme

good dear community.

I have a problem, let’s see if you can help me.

I have a gitlab deployed on Ubuntu server 22.04 with some firewall rules under iptables.

What happens is that I want the gitlab page under domain gitlab.xxxx.com to open only if I am connected to the VPN, but I can’t do it.

I made a rule in iptables so that ports 80 and 443 go through the vpn.

iptables -s 192.168.1.2 -A INPUT -j ACCEPT -p tcp --dport 80
iptables -s 192.168.1.2 -A INPUT -j ACCEPT -p tcp --dport 443

IP 192.168.0.2 is an example, but despite the rule being correct, the ports continue to respond.

What else would I need to look at so that the website is only displayed when connected to the VPN.

Thank you.

Usually, iptables has default of ACCEPT for the chain, so you will need to put a drop rule at the end of all your other rules.

1 Like

Hi iwalker.

Yes, in fact I made a script to apply the rules, which resets and applies the new rules.

The strange thing is that the ssh and webmin port is taken by the VPN, but port 80 and 443 are not.

I don’t know what’s happening or what needs to be configured within the Gitlab configuration files so that the connection is closed.

I put an example of the script

#!/bin/bash

IPTABLES=‘/usr/sbin/iptables’;

##Flush de reglas

iptables -F

iptables -X

iptables -Z

iptables -t nat -F

Define default policy

$IPTABLES -P INPUT DROP

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -P FORWARD DROP

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED

#VPN
$IPTABLES -s 192.168.1.2 -A INPUT -p tcp -m multiport --dports 80,443,10000,22 -j ACCEPT

Is ufw disabled? I know Ubuntu uses this by default, although I’m unsure if the service is enabled/disabled on a new install or not. Just in case another firewall is messing around with it.

Are you also using Docker by any chance? Since docker causes problems overriding things as well with iptables rules and causing ports that were previously blocked, to be enabled. In this case, the rules need to be made in a different chain called DOCKER-USER.

Hello iwalker

Validated the ufw and this one is lying inactive.

ufw status
Status: inactive

It’s not docker.

The rules of iptables are the ones that pass and the ones that show when doing iptables -L

I don’t know what else it could be, it’s not common that it happens so I block him from everything yet he keeps going out to the internet, very strange.

Hello good.

I already found the solution, I just needed to reject the rest of the traffic for this rule to comply.

iptables -A INPUT -p tcp --dport 80 -j REJECT
iptables -A INPUT -p tcp --dport 443 -j REJECT

Very thx.

Hmm, generally if you set the chain to drop automatically, and you only have specified source addresses for port 80 and 443, then that should drop anyway. The other alternative is once you’ve set up your rules, like I mentioned before you add a last rule to drop everything, eg:

iptables -A INPUT -s 192.168.1.2 -p tcp -m multiport --dports 80,443,10000,22 -j ACCEPT
iptables -A INPUT -j DROP

you have specified a rule to drop everything for ports 80 and 443, but that could mean other ports are open in this case that you may wish to also close off.