On Fri, May 6, 2016 at 2:36 PM, Lance LeFlore <lance at 3t218.org> wrote: > Hi, > I'm trying to understand why the ocserv-fw script makes use of the > iptables INPUT chain. One would think that the FORWARD chain would be > where the script would put all of the allow/deny rules since traffic > will need to be forwarded from the tun interface to eth0 if it wants > to get out to other networks. I know that $INPUT_CHAIN can be set to > whatever I'd like, but there are several places where the INPUT chain > is hardcoded in the script. > I'd also like to understand why ocserv-fw appears to create empty > INPUT-ocserv-fw-vpns* chains which cause the rules in the INPUT chain > which reference said chains to go nowhere useful. It seems to me that > the INPUT-ocserv-fw-vpns* chains should each have a blanket allow rule > so that the rules in the INPUT (should be FORWARD?) chain which > reference them actually work. > Am I thinking about this all wrong? You are right, it seems that the current script doesn't fulfill its purpose; I should have tagged this as an experimental feature. It seems that both INPUT/FORWARD and OUTPUT/FORWARD should have been specified. Would you be interested in providing a fixed ocserv-fw script? regards, Nikos
