Simple ethernet bridging scenario, what about iptables?
Posted: Tue Jul 08, 2014 10:01 am
Hello!
There is a really helpful article in the documentation which describes the setup of bridging for OpenVPN: https://openvpn.net/index.php/open-sour ... dging.html
My configuration is very similar:
The article mentioned above says the following:
First of all, I'm a bit confused by the two rules regarding the INPUT-chain. Why is it necessary to allow tap0 and br0 on the INPUT-chain? Of course the INPUT-chain is important for allowing clients to connect to the VPN server on port 1194, but this should happen via the physical external interface, like this:
(In a different scenario, I have a routing-based setup using a tun-interface. The only thing I had to do there is to allow new connections on port 1194 (the line above) and two simple FORWARD-rules between tun0 and the physical interface eth1, which allows the access of the LAN. But there was no need to create an INPUT-rule for tun0, which is why I'm a bit confused at this point. Why do I have to create INPUT-rules for br0 and tap0?).
2.)
My second question is about the third rule mentioned in the article:
Is this the rule which finally is responsible for the LAN-access via VPN?
If yes, is there a way to write it a bit more restrictive? Since there is only the "-i" option specified but no "-o" option, packets could go everywhere if I'm not wrong. But I only want to allow acces to the LAN located behind eth1 (there are some other LANs behind further network interfaces which are not important in this scenario, but VPN traffic shoulnd't be able to go there).
So which FORWARD-rules do I need to allow only acces to the LAN behind eth1?
Thank you!
edit:
Or in other words: the FORWARDING-rules in my routing-scenario are quite simple:
What would be the analogy using br0/tap0/eth1 in the bridged scenario described above?
There is a really helpful article in the documentation which describes the setup of bridging for OpenVPN: https://openvpn.net/index.php/open-sour ... dging.html
My configuration is very similar:
- There is a machine which is located between WAN and LAN
- It acts as an iptables-based firewall, but also has OpenVPN installed to allow VPN access for external users
- The physical interface that connects the machine to the internet is called eth0, the interface that connects the machine to the LAN is called eth1
The article mentioned above says the following:
1.)Now set up the Linux firewall to permit packets to flow freely over the newly created tap0 and br0 interfaces:
Code: Select all
iptables -A INPUT -i tap0 -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j ACCEPT
First of all, I'm a bit confused by the two rules regarding the INPUT-chain. Why is it necessary to allow tap0 and br0 on the INPUT-chain? Of course the INPUT-chain is important for allowing clients to connect to the VPN server on port 1194, but this should happen via the physical external interface, like this:
Code: Select all
iptables -A INPUT -i eth0 -p udp --dport 1194 -j ACCEPT2.)
My second question is about the third rule mentioned in the article:
Code: Select all
iptables -A FORWARD -i br0 -j ACCEPTIf yes, is there a way to write it a bit more restrictive? Since there is only the "-i" option specified but no "-o" option, packets could go everywhere if I'm not wrong. But I only want to allow acces to the LAN located behind eth1 (there are some other LANs behind further network interfaces which are not important in this scenario, but VPN traffic shoulnd't be able to go there).
So which FORWARD-rules do I need to allow only acces to the LAN behind eth1?
Thank you!
edit:
Or in other words: the FORWARDING-rules in my routing-scenario are quite simple:
Code: Select all
iptables -A FORWARD -i tun0 -o eth1 -m state --state NEW -j ACCEPT
iptables -A FORWARD -i eth1 -o tun0 -m state --state NEW -j ACCEPT