I have set up a VPN to a private service provider via OpenVPN.
This setup is using the VPN as default gateway.
It all works fine but when I try to apply some basic iptables rules to filter traffic in and out the tunnel, I don't seem to be able to affect the inbound traffic. Outbound filtering appears to work fine though.
I suppose my iptables rules refer to tun12 which for output can be filtered happily but inbound I would only see the UDP traffic on port 1194 as it's still encrypted. I'm working with the FORWARD table at the moment.
How do I go applying iptables filtering inbound?
root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOTHIS-IN all -- tun12 * 0.0.0.0/0 0.0.0.0/0 state NEW
11323 780K DOTHIS-OUT all -- * tun12 0.0.0.0/0 0.0.0.0/0 state NEW
NOTE: this is happening only when I match status NEW. If I remove the match the iptables work fine.
root@router# iptables -nvL FORWARD
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOTHIS-IN all -- tun12 * 0.0.0.0/0 0.0.0.0/0 state NEW
6154K 8071M DOTHIS-IN all -- tun12 * 0.0.0.0/0 0.0.0.0/0
NOTE2: the tunnel is nat enabled
Thanks!
You could try filtering based on the IP addresses of the VPN instead of the interface.
Did you try to match traffic coming from the tunnel based on the destination for a test?