VPN / Intranet & Internet help

[unplugme71]

Debian 6.0 Squeeze (Cloud Server)

Running Apache2, PHP5, openVPN-AS

Below is my iptables for reference:



*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:sshguard - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 ! -i lo -j REJECT --reject-with icmp-port-unreachable
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 943 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1194 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j DROP
-A FORWARD -j DROP
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state INVALID -j DROP
-A OUTPUT -j ACCEPT
COMMIT



*Note: I'm running on a Windows 7 Pro machine with openVPN client.

1. I want to access some-sub-domain.mydomain.com only when conected via VPN. Meaning, some-sub-domain.mydomain.com is not an actual A record under my domain if you were to dig it. Instead, I want to modify the /etc/hosts file to translate this subdomain to the local server's IP.
1A. Which IP do I use in the /etc/hosts file? 127.0.0.1 or 192.168.0.13
1B. How do I set the iptables to only allow viewing ports 80 and 443 from a VPN connection. So public access is denied.

2. Any other security measures or adjustments in the iptables I could take to ensure my server is secure?

Thanks in adavance!

[zackwasa]

You need to use the VPN server's IP in /etc/hosts for the domain.

As for iptables you can modify it to apply the currently existing rules only to the external interface. Just include the "-i ethX" in the rules. The internal tun/tap interface can be left unfirewalled