This may be a silly question but I’m wondering if there’s any way to restrict public IP addresses from accessing the INPUT chain without breaking VPN access?
The default rules that drop all input that don’t originate from the local LAN seem to not permit VPN access. Does anyone know how I can remedy this?
What type of vpn? And inbound vpn out out bound? Basically you can block everything except the vpn ports. If you want to block vpn ports you can do that as long as you know the IP’s your vpn clients originate from… Our have a rule to allow a list of IP’s based on dynamic host names.
Can you explain a bit more… ?
Sent from my SCH-I545 using Tapatalk 2
My apologies - I should have been more precise.
It’s an incoming VPN that staff use to dial into the network when they work remotely. As it stands it’s PPTP but I’d like to move it towards OVPN for security reasons.
I had considered the idea of creating a whitelist for VPN connections, however that would restrict executives ability to connect when on the road / in hotel rooms.
OK. Then you just need to create an allow rule for the pptp ports and place it above the drop for the input. That’s what I am doing for my l2tp over ipsec. I don’t know what port that is from memory.
Sent from my SCH-I545 using Tapatalk 2