In my scenario, there is a machine which acts as both an iptables-based firewall and an OpenVPN-server at the same time. It has two network interfaces – eth1
is connected to the internet whereas eth0
is connected to the LAN behind the machine.
Until now, I understand how to configure iptables for routing/TUN-based VPN-connections. You can find the following visualization on openvpn.net:
| FIREWALL |
| |
{eth1 eth0}
| \ / |
| +----------------------+ |
| | iptables and | |
| | routing engine | |
| +--+----------------+--+ |
| | | |
| (openvpn)-------{tun0} |
| 10.8.0.1 |
+--------------------------------+
According to the image, the logical paket flow looks like this:
Internet –> eth1 –> iptables (via INPUT-chain) –> OpenVPN –> tun0 –> iptables (via FORWARD-chain) –> eth0 –> LAN
…which should result in the follwing iptables rules if I'm not wrong:
# allow incoming and outgoing VPN traffic from/to the internet
iptables -A INPUT -i eth1 -p udp --dport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
# allow traffic between tun0 and LAN
iptables -A FORWARD -i tun+ -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o tun+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
So far, so good. What I want to do now is to realize the exact same scenario as above but with bridge/TAP-based VPN connections, but I have problems understanding the logical paket flow and creating iptables rules in a bridged environment.
What I get till now:
tun0
gets replaced bytap0
- I need a bridge-interface between eth0 and tap0, let's call it
br0
For the sake of simplicity, let's assume that both tap0 and br0 are already configured.
What I don't get is the paket flow from iptables' point of view and especially how iptables deals with br0
. My aim is to create the same visualization and rules as above, but for the described bridged/TAP-based environment.
edit: I don't have to create a real and production-ready environment, don't worry. I just want to understand it 🙂
Best Answer
As far as iptables is concerned, br0 can be treated as a single interface (e.g. you can match
-i br0
or-o br0
, which will apply to packets arriving on, or leaving through, tap0 as well as eth0), but you can also reference its subinterfaces in rules using thephysdev
module, e.g.-m physdev --physdev-in tap0
.Please try to make your question more specific and I'll try to answer it better.