Tun0+ iptables rule

firewalliptables

I'm trying to figure out what that + sign means in a rule such as this:

-A FORWARD -i tun0+ -j ACCEPT

I'm pretty positive it relates to vpn. I noticed a /dev/net/tun interface and a tun0 in ifconfig, but for the sake of thoroughness, I want to know about that + sign. Anyone know anything?

Best Answer

From here: To match all interfaces of a type, use the plus sign such as eth+.

And yes, the "+" sign means here just as "*" in pattern matching or ".*" in regexps.

This rule is false, the + is unneeded, although it don't even harms (because a tunnel named tun01 or tun05 are very unlikely). The developer of this script wanted to write probably only tun+.

Related Solutions

Ssh – Linux iptables ssh port forwarding (martian rejection)

The issue with doing a DNAT to 127.0.0.1:5000 is that when the remote side responds, these packets return into the routing engine as if they were locally originated (from 127.0.0.1) but they have an outside destination address. SNAT/MASQUERADE matching the outside interface would have caught them and rewritten them, but the routing decisions that have to be made for the packets to arrive at that interface come first, and they disallow these packets which are bogus by default. The routing engine can't guarantee you'll remember to do that rewrite later.

The thing that you should be able to do instead is reject any outside connections to 192.168.1.1:5000 at iptables INPUT other than those coming from 192.168.1.10 using the ! argument before the -s source address specification. If you use TCP reset as the rejection mechanism (-j REJECT --reject-with tcp-reset, instead of the default ICMP destination unreachable), it will be largely identical to the situation where nothing was even listening on that address:port combination as far as the outside world is concerned.

Iptables forward traffic to vpn tunnel if open

You will need both sets of rules within iptables. The two rulesets ensure that traffic leaving by the specified interfaces is appropriately masqueraded. Here is my suggestion, which is a little simpler than yours:

# Masquerade outgoing traffic
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

# Allow return traffic
iptables -A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i tun0 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Forward everything
iptables -A FORWARD -j ACCEPT

The part of the puzzle that's missing is the routing. If the tunnel is up you want "all" outgoing traffic to use it. Otherwise use the normal route.

This is handled within OpenVPN using the redirect-gateway def1 parameter in your client configuration.

Best Answer

Related Solutions

Ssh – Linux iptables ssh port forwarding (martian rejection)

Iptables forward traffic to vpn tunnel if open

Related Question