Simple ethernet bridging scenario, what about iptables?

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
carom
OpenVpn Newbie
Posts: 1
Joined: Sun Jul 06, 2014 4:20 pm

Simple ethernet bridging scenario, what about iptables?

Post by carom » Tue Jul 08, 2014 10:01 am

Hello!

There is a really helpful article in the documentation which describes the setup of bridging for OpenVPN: https://openvpn.net/index.php/open-sour ... dging.html

My configuration is very similar:
  • There is a machine which is located between WAN and LAN
  • It acts as an iptables-based firewall, but also has OpenVPN installed to allow VPN access for external users
  • The physical interface that connects the machine to the internet is called eth0, the interface that connects the machine to the LAN is called eth1
Since I want to implement ethernet bridging, there is also an interface br0 which combines eth1 with tap0.

The article mentioned above says the following:
Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:

Code: Select all

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
1.)

First of all, I'm a bit confused by the two rules regarding the INPUT-chain. Why is it necessary to allow tap0 and br0 on the INPUT-chain? Of course the INPUT-chain is important for allowing clients to connect to the VPN server on port 1194, but this should happen via the physical external interface, like this:

Code: Select all

iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT
(In a different scenario, I have a routing-based setup using a tun-interface. The only thing I had to do there is to allow new connections on port 1194 (the line above) and two simple FORWARD-rules between tun0 and the physical interface eth1, which allows the access of the LAN. But there was no need to create an INPUT-rule for tun0, which is why I'm a bit confused at this point. Why do I have to create INPUT-rules for br0 and tap0?).

2.)
My second question is about the third rule mentioned in the article:

Code: Select all

iptables -A FORWARD -i br0 -j ACCEPT
Is this the rule which finally is responsible for the LAN-access via VPN?

If yes, is there a way to write it a bit more restrictive? Since there is only the "-i" option specified but no "-o" option, packets could go everywhere if I'm not wrong. But I only want to allow acces to the LAN located behind eth1 (there are some other LANs behind further network interfaces which are not important in this scenario, but VPN traffic shoulnd't be able to go there).

So which FORWARD-rules do I need to allow only acces to the LAN behind eth1?

Thank you!

edit:

Or in other words: the FORWARDING-rules in my routing-scenario are quite simple:

Code: Select all

iptables -A FORWARD -i tun0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -m state --state NEW -j ACCEPT
What would be the analogy using br0/tap0/eth1 in the bridged scenario described above?

Post Reply