0

I have set up a VPN to a private service provider via OpenVPN.
This setup is using the VPN as default gateway.
It all works fine but when I try to apply some basic iptables rules to filter traffic in and out the tunnel, I don't seem to be able to affect the inbound traffic. Outbound filtering appears to work fine though.

I suppose my iptables rules refer to tun12 which for output can be filtered happily but inbound I would only see the UDP traffic on port 1194 as it's still encrypted. I'm working with the FORWARD table at the moment.

How do I go applying iptables filtering inbound?

root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            state NEW
11323  780K DOTHIS-OUT all  --  *      tun12   0.0.0.0/0            0.0.0.0/0            state NEW

NOTE: this is happening only when I match status NEW. If I remove the match the iptables work fine. 

root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0            state NEW
6154K 8071M DOTHIS-IN  all  --  tun12  *       0.0.0.0/0            0.0.0.0/0

NOTE2: the tunnel is nat enabled

Thanks!

user3018558
  • 105
  • 1
  • 9

1 Answers1

0

You could try filtering based on the IP addresses of the VPN instead of the interface.

Did you try to match traffic coming from the tunnel based on the destination for a test?

Triantafyllos
  • 44
  • 4
  • matching the VPN IP as source address doesn't work either. I did try to match the destination LANs (have multiple vlans) excluding the WAN as input interface but no luck. – user3018558 Jun 18 '17 at 19:46