Linux – Understanding an OpenVPN bridge from iptable’s point of view

bridgeiptableslinuxopenvpnvpn

In my scenario, there is a machine which acts as both an iptables-based firewall and an OpenVPN-server at the same time. It has two network interfaces – eth1 is connected to the internet whereas eth0 is connected to the LAN behind the machine.

Until now, I understand how to configure iptables for routing/TUN-based VPN-connections. You can find the following visualization on openvpn.net:

|            FIREWALL            |
|                                |
{eth1                        eth0}
|   \                        /   |
|    +----------------------+    |
|    | iptables and         |    |
|    | routing engine       |    |
|    +--+----------------+--+    |
|       |                |       |
|     (openvpn)-------{tun0}     |
|                    10.8.0.1    |
+--------------------------------+

According to the image, the logical paket flow looks like this:

Internet –> eth1 –> iptables (via INPUT-chain) –> OpenVPN –> tun0 –> iptables (via FORWARD-chain) –> eth0 –> LAN

…which should result in the follwing iptables rules if I'm not wrong:

# allow incoming and outgoing VPN traffic from/to the internet
iptables -A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow traffic between tun0 and LAN
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

So far, so good. What I want to do now is to realize the exact same scenario as above but with bridge/TAP-based VPN connections, but I have problems understanding the logical paket flow and creating iptables rules in a bridged environment.

What I get till now:

  • tun0 gets replaced by tap0
  • I need a bridge-interface between eth0 and tap0, let's call it br0

For the sake of simplicity, let's assume that both tap0 and br0 are already configured.

What I don't get is the paket flow from iptables' point of view and especially how iptables deals with br0. My aim is to create the same visualization and rules as above, but for the described bridged/TAP-based environment.

edit: I don't have to create a real and production-ready environment, don't worry. I just want to understand it 🙂

Best Answer

As far as iptables is concerned, br0 can be treated as a single interface (e.g. you can match -i br0 or -o br0, which will apply to packets arriving on, or leaving through, tap0 as well as eth0), but you can also reference its subinterfaces in rules using the physdev module, e.g. -m physdev --physdev-in tap0.

Please try to make your question more specific and I'll try to answer it better.

Related Topic