How to block an IP for IPSec VPN connections?

Question

This is my current IpTables setup:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:2022
ACCEPT     all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.10.10.0/24        anywhere             policy match dir in pol ipsec proto esp
ACCEPT     all  --  anywhere             10.10.10.0/24        policy match dir out pol ipsec proto esp
DROP       all  --  anywhere             anywhere

I would like to block this IP address 5.79.71.205 that is used as malware by one of the VPN users.

Do I block the input on top like this?

sudo iptables -I INPUT -s 5.79.71.205 -p all -j DROP

or do I have to do this because the VPN (IKEv2) masquerades?

sudo iptables -I FORWARD -s 5.79.71.205 -j DROP

or do I have to block the output?

sudo iptables -I OUTPUT -d 5.79.71.205 -j DROP

Or even all of them?

score 0 · Answer 1 · answered Apr 15 '19 at 10:18

0

Jusat block in and out. Should solve your problem.

iptables -A INPUT -s 5.79.71.205 -j DROP
iptables -A OUTPUT -d 5.79.71.205 -j DROP

answered Apr 15 '19 at 10:18

Duckro11

31

How to block an IP for IPSec VPN connections?

1 Answers1