ocserv-fw script design

Lance LeFlore lance at 3t218.org
Fri May 6 05:36:26 PDT 2016


I'm trying to understand why the ocserv-fw script makes use of the
iptables INPUT chain. One would think that the FORWARD chain would be
where the script would put all of the allow/deny rules since traffic
will need to be forwarded from the tun interface to eth0 if it wants
to get out to other networks. I know that $INPUT_CHAIN can be set to
whatever I'd like, but there are several places where the INPUT chain
is hardcoded in the script.

I'd also like to understand why ocserv-fw appears to create empty
INPUT-ocserv-fw-vpns* chains which cause the rules in the INPUT chain
which reference said chains to go nowhere useful. It seems to me that
the INPUT-ocserv-fw-vpns* chains should each have a blanket allow rule
so that the rules in the INPUT (should be FORWARD?) chain which
reference them actually work.

Am I thinking about this all wrong?


ocserv --version
ocserv 0.11.1

Compiled with seccomp, oath, PAM, PKCS#11, AnyConnect,
GnuTLS version: 3.4.11

More information about the openconnect-devel mailing list