ポート80へのアクセス制限 - OpenVPN経由でのみアクセス可能

これで、ownCloud Webインターフェイスを使用して外部からポート80にアクセスできるようになりました。しかし、OpenVPN接続を介してのみアクセスしたいと思います。私は実行しようとしています：

# iptables -I INPUT -i eth0 -p tcp --dport 80 -j REJECT

# ip6tables -I INPUT -i eth0 -p tcp --dport 80 -j REJECT

ルールは機能しますが、ポート80は外部サイトから引き続きアクセスできます。

# ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host 
   valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq portid ac1f6b4db9fa state UP group default qlen 1000
link/ether ac:1f:6b:4d:b9:fa brd ff:ff:ff:ff:ff:ff
inet 93.90.192.155/32 brd 93.90.192.155 scope global eth0
   valid_lft forever preferred_lft forever
inet6 2001:8d8:1801:61::1/128 scope global 
   valid_lft forever preferred_lft forever
inet6 fe80::ae1f:6bff:fe4d:b9fa/64 scope link 
   valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop portid ac1f6b4db9fb state DOWN group default qlen 1000
link/ether ac:1f:6b:4d:b9:fb brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
link/ether 02:42:ac:9a:05:e2 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
   valid_lft forever preferred_lft forever
6: br-3e70ad5e4d73: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
link/ether 02:42:fd:b1:80:27 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 scope global br-3e70ad5e4d73
   valid_lft forever preferred_lft forever
7: br-4dc510063f2a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
link/ether 02:42:7b:9d:e2:e7 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 scope global br-4dc510063f2a
   valid_lft forever preferred_lft forever
inet6 fe80::42:7bff:fe9d:e2e7/64 scope link 
   valid_lft forever preferred_lft forever
2000: br-7009c9b53be2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
link/ether 02:42:ce:4a:31:5d brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 scope global br-7009c9b53be2
   valid_lft forever preferred_lft forever
inet6 fe80::42:ceff:fe4a:315d/64 scope link 
   valid_lft forever preferred_lft forever
2028: vethf9b0f83@if2027: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default 
link/ether d6:1f:65:42:b0:89 brd ff:ff:ff:ff:ff:ff link-netnsid 1
inet6 fe80::d41f:65ff:fe42:b089/64 scope link 
   valid_lft forever preferred_lft forever
2030: veth4e42ada@if2029: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default 
link/ether 96:86:a6:73:45:4e brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::9486:a6ff:fe73:454e/64 scope link 
   valid_lft forever preferred_lft forever
2032: veth96694cc@if2031: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7009c9b53be2 state UP group default 
link/ether 6e:92:09:b6:ec:a8 brd ff:ff:ff:ff:ff:ff link-netnsid 3
inet6 fe80::6c92:9ff:feb6:eca8/64 scope link 
   valid_lft forever preferred_lft forever
2038: tun6: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none 
inet 192.168.223.1/24 brd 192.168.223.255 scope global tun6
   valid_lft forever preferred_lft forever
inet6 fd00:c0a8:df00::1/64 scope global 
   valid_lft forever preferred_lft forever
inet6 fe80::9ec6:43f0:ab47:4cc4/64 scope link flags 800 
   valid_lft forever preferred_lft forever


# iptables-save -c
# Generated by iptables-save v1.6.0 on Tue Dec 11 17:29:00 2018
*nat
:PREROUTING ACCEPT [5616:316476]
:INPUT ACCEPT [3829:209148]
:OUTPUT ACCEPT [466:37373]
:POSTROUTING ACCEPT [2848:179661]
:DOCKER - [0:0]
[24860:1336310] -A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
[1029:61686] -A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
[0:0] -A POSTROUTING -s 192.168.223.0/24 -o eth0 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j MASQUERADE
[36:2312] -A POSTROUTING -s 172.20.0.0/16 ! -o br-7009c9b53be2 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.18.0.0/16 ! -o br-4dc510063f2a -j MASQUERADE
[0:0] -A POSTROUTING -s 172.19.0.0/16 ! -o br-3e70ad5e4d73 -j MASQUERADE
[0:0] -A POSTROUTING -s 172.20.0.4/32 -d 172.20.0.4/32 -p tcp -m tcp --dport 8080 -j MASQUERADE
[0:0] -A POSTROUTING -s 192.168.223.0/24 -j SNAT --to-source 172.17.0.1
[0:0] -A DOCKER -i br-7009c9b53be2 -j RETURN
[0:0] -A DOCKER -i docker0 -j RETURN
[0:0] -A DOCKER -i br-4dc510063f2a -j RETURN
[0:0] -A DOCKER -i br-3e70ad5e4d73 -j RETURN
[786:46280] -A DOCKER ! -i br-7009c9b53be2 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.20.0.4:8080
COMMIT
# Completed on Tue Dec 11 17:29:00 2018
# Generated by iptables-save v1.6.0 on Tue Dec 11 17:29:00 2018
*filter
:INPUT ACCEPT [129372:32447827]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [128998:23100691]
:DOCKER - [0:0]
:DOCKER-ISOLATION - [0:0]
[0:0] -A INPUT -i tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[0:0] -A FORWARD -o tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[0:0] -A FORWARD -i tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[116329:40795012] -A FORWARD -j DOCKER-ISOLATION
[111111:35660642] -A FORWARD -o br-7009c9b53be2 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[2486:148280] -A FORWARD -o br-7009c9b53be2 -j DOCKER
[2732:4986090] -A FORWARD -i br-7009c9b53be2 ! -o br-7009c9b53be2 -j ACCEPT
[2350:141000] -A FORWARD -i br-7009c9b53be2 -o br-7009c9b53be2 -j ACCEPT
[0:0] -A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o docker0 -j DOCKER
[0:0] -A FORWARD -i docker0 ! -o docker0 -j ACCEPT
[0:0] -A FORWARD -i docker0 -o docker0 -j ACCEPT
[0:0] -A FORWARD -o br-4dc510063f2a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-4dc510063f2a -j DOCKER
[0:0] -A FORWARD -i br-4dc510063f2a ! -o br-4dc510063f2a -j ACCEPT
[0:0] -A FORWARD -i br-4dc510063f2a -o br-4dc510063f2a -j ACCEPT
[0:0] -A FORWARD -o br-3e70ad5e4d73 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A FORWARD -o br-3e70ad5e4d73 -j DOCKER
[0:0] -A FORWARD -i br-3e70ad5e4d73 ! -o br-3e70ad5e4d73 -j ACCEPT
[0:0] -A FORWARD -i br-3e70ad5e4d73 -o br-3e70ad5e4d73 -j ACCEPT
[0:0] -A FORWARD -s 192.168.223.0/24 -j ACCEPT
[0:0] -A OUTPUT -o tun6 -m comment --comment pritunl-5c0e51712cc5cb0023308bcc -j ACCEPT
[132:7040] -A DOCKER -d 172.20.0.4/32 ! -i br-7009c9b53be2 -o br-7009c9b53be2 -p tcp -m tcp --dport 8080 -j ACCEPT
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o br-3e70ad5e4d73 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-7009c9b53be2 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-7009c9b53be2 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-3e70ad5e4d73 -j DROP
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o docker0 -j DROP
[0:0] -A DOCKER-ISOLATION -i docker0 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-3e70ad5e4d73 -o br-4dc510063f2a -j DROP
[0:0] -A DOCKER-ISOLATION -i br-4dc510063f2a -o br-3e70ad5e4d73 -j DROP
[401460:103833650] -A DOCKER-ISOLATION -j RETURN
COMMIT


# ip route
default via 10.255.255.1 dev eth0 
10.255.255.1 dev eth0  scope link 
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-4dc510063f2a  proto kernel  scope link  src      172.18.0.1 linkdown 
172.19.0.0/16 dev br-3e70ad5e4d73  proto kernel  scope link  src 172.19.0.1 linkdown 
172.20.0.0/16 dev br-7009c9b53be2  proto kernel  scope link  src 172.20.0.1 
192.168.223.0/24 dev tun6  proto kernel  scope link  src 192.168.223.1