Re: [Openvpn-users] How to write the iptables rules for a NIC with multiple IP addresses?

Mon, 31 Jul 2023 23:12:46 -0700 

On 31.07.23 21:14, Jason Long wrote:
> On Mon, Jul 31, 2023 at 4:20 PM, Jochen Bern<jochen.b...@binect.de> wrote: >> 
> If, on the other hand, you'd like to type less, it's up to you to find
>> ways to make the rules less specific that still agree with whatever
>> *external* requirements you may have. For OpenVPN, the four rules
>> 
>> iptables -I INPUT -p udp -m multiport --dports $PORT1,$PORT2 -j ACCEPT
>> iptables -A FORWARD -i tun+ -o e+ -s $BIG_SUBNET -j ACCEPT
>> iptables -A FORWARD -i e+ -o tun+ \
>>      -m state --state ESTABLISHED,RELATED -j ACCEPT
>> iptables -t nat -A POSTROUTING -s $BIG_SUBNET -j SNAT --to $PUB_IP_RANGE
>> 
>> would be enough to cover *all* instances that use those ports and [...]
> 
> You used some variables:
> $PORT1,$PORT2$BIG_SUBNET$PUB_IP_RANGE
> 
> Above the iptables rules, I need to initialize them. Can I use "," sing
> between the values? For example:
> BIG_SUBNET = 10.8.1.0/16, 10.8.2.0/16

No. There is a "multiPORT" extension for iptables that I used in my 
example, but no "multiNET" or somesuch. ferm would allow you to write a 
config pretty much like that, but it would nonetheless expand the list 
into several iptables rules under the hood.

Kind regards,
-- 
Jochen Bern
Systemingenieur

>Binect GmbH

Hello,
Thanks again.
I guess use "e+" is not OK, because it will use other NICs which is not needed.

Can you write the iptables rules for a real example? For example, a server has 
enp3s0 and enp3s0:1 NICs :

enp3s0     :      1.2.3.4
enp3s0:1  :      1.2.3.5

Each NIC runs two servers:

Server1.conf :
Tun1
1194
10.10.0.0/16

Server2.conf :
Tun2
1195
10.11.0.0/16

Server3.conf :
Tun3
1196
10.12.0.0/16

Server4.conf :
Tun4
1195
10.13.0.0/16


I'm thankful if you show me the correct iptables rules for this scenario.

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to