Hi, I'm trying to understand why the ocserv-fw script makes use of the iptables INPUT chain. One would think that the FORWARD chain would be where the script would put all of the allow/deny rules since traffic will need to be forwarded from the tun interface to eth0 if it wants to get out to other networks. I know that $INPUT_CHAIN can be set to whatever I'd like, but there are several places where the INPUT chain is hardcoded in the script. I'd also like to understand why ocserv-fw appears to create empty INPUT-ocserv-fw-vpns* chains which cause the rules in the INPUT chain which reference said chains to go nowhere useful. It seems to me that the INPUT-ocserv-fw-vpns* chains should each have a blanket allow rule so that the rules in the INPUT (should be FORWARD?) chain which reference them actually work. Am I thinking about this all wrong? Thanks, Lance ocserv --version ocserv 0.11.1 Compiled with seccomp, oath, PAM, PKCS#11, AnyConnect, GnuTLS version: 3.4.11
