My server connects to some strange resources via OpenVPN, and every time the OpenVPN client starts up, an ovpn
interface is brought up.
I want to expose only selected ports (say, MySQL) to this interface, so I have this rule in my iptables:
iptables -A INPUT -i ovpn -p tcp --dport 3306 -j ACCEPT
However, because the OpenVPN client can disconnect and reconnect without intervention, the link ID (as shown by ip link show ovpn
) can change.
Will the above iptables rule continue to work after the link disappears and appears again (with a different ID)?
Yes it will continue to work, because iptables doesn't use the interface's index but is doing a string comparison with the current interface's name when evaluating the
-i
/--in-interface
parameter. Actually it appears to be always evaluated, even when the parameter is not provided, but the inlined function is quite optimized.By contrast, nftables (the current candidate successor to iptables) offers two different expressions:
iifname
: the direct equivalent of-i
, comparing the current name, andiif
comparing the interface index, which would cause a problem in your use case. When iptables is translated into nftables (either using iptables-translate or iptables-nft for the newer iptables-over-kernel-nftables API),-i
gets translated toiifname
as expected for compatibility.Yes, it will. Rules don't get deleted when referenced interface is deleted.
More on that, there are wildcard rules, for example you can specify "any pppX interface" with the match
-i ppp+
or-o ppp+
. There is no interface with that name at all, so it can't reference anything. But if there will be traffic involving ppp2 interface, such rule will immediately apply.In general, it doesn't matter, was the rule created before interface appeared or after that.