ocserv-fw script design

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon May 9 04:45:14 PDT 2016


On Fri, May 6, 2016 at 2:36 PM, Lance LeFlore <lance at 3t218.org> wrote:
> Hi,
> I'm trying to understand why the ocserv-fw script makes use of the
> iptables INPUT chain. One would think that the FORWARD chain would be
> where the script would put all of the allow/deny rules since traffic
> will need to be forwarded from the tun interface to eth0 if it wants
> to get out to other networks. I know that $INPUT_CHAIN can be set to
> whatever I'd like, but there are several places where the INPUT chain
> is hardcoded in the script.
> I'd also like to understand why ocserv-fw appears to create empty
> INPUT-ocserv-fw-vpns* chains which cause the rules in the INPUT chain
> which reference said chains to go nowhere useful. It seems to me that
> the INPUT-ocserv-fw-vpns* chains should each have a blanket allow rule
> so that the rules in the INPUT (should be FORWARD?) chain which
> reference them actually work.
> Am I thinking about this all wrong?

You are right, it seems that the current script doesn't fulfill its
purpose; I should have tagged this as an experimental feature. It
seems that both INPUT/FORWARD and OUTPUT/FORWARD should have been
specified. Would you be interested in providing a fixed ocserv-fw
script?

regards,
Nikos



More information about the openconnect-devel mailing list