I have a CentOS7 server that has a public IP address, but I found every day there are many SSH attacks targeted at it. I knew using VPN is a secure way to protect the server, but I am a new hand in Linux. After trying to install tailscale and set up iptables, I can not access my server. Could anyone tell me if there is a way to set the iptables to reject access to the server through public IP and only accept access to the server through tailscale VPN?
The command I used to set up iptables is: sudo iptables -t filter -I INPUT ! -s 100.64.0.0/10 -j DROP.
You can drop all incoming traffic so access is purely via Tailscale, but the VPN traffic ultimately still needs to go through the internet connection so you can’t lock it off completely.
The guide here explains it better than I can What firewall ports should I open to use Tailscale? · Tailscale
Put the allow statements in the top of the list to get tailscale working, then drop everything else at the bottom of the list. I don’t generally firewall outgoing traffic, but if you do then you need to do the same there. If you’re using this as a exit node then you don’t want to filter outgoing traffic too much, also if you want things like security updates to get applied (hint - you do).