OpenVPN server - Restrict access to one LAN IP only

[esco]

I would like to restrict access from the VPN subnet 10.8.0.0/24 to NVR IP only. I have tried to "compile" some of the examples from the other threads but this is not working as expected - I'm able to access NVR and e.g. browse the shared folders on my NAS:

openvpn-event script

#!/bin/sh
if [ "$1" = "tun21" ] || [ "$1" = "tun22" ]
then
logger -t openvpn-event "Apply additional firewall rules for NVR"
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d NVRIP -p tcp --dport 554 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d NVRIP-p udp --dport 554 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d NVRIP -p udp --dport 8000 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d NVRIP-p tcp --dport 8000 -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -j DROP
fi

Can anyone help me with the correct iptables command syntax/order please?
Thank you.

 

[GSpock]

not sure if this will help, but I would replace NVRIP by its ip address (has to be a static one). Besides that in the above, 3rd and 5th iptables statment are missing a blank before -p option ...