Why aren't openvpn server iptables rules put in their own chain?

[Deleted member 27741]

When iptables rules for my n66u openvpn servers are started, they are inserted at the top of the chain when the openvpn servers start. This can prevent dropping packets to the servers because any blacklisting rules would then be moved down.

Why would openvpn servers not start their own chain(s)? That way they would not be fighting for a top spot on the INPUT chain. Wouldn't it would also permit a user to insert rules with firewall-start at the top of the INPUT chain without waiting for about a minute or so after boot? What is the downside of openvpn servers having their own chains?

 

[Deleted member 27741]

Errrr... after just some rudimentary reading I am seeing why perhaps things are this way. If the chains (jump to user chain rule added to input chain and user rules) are added later on, they will have to be added somewhere and the top of the chain is where they will need to go.

If the INPUT jump to user chain was added at boot (so that later an input rule for the openvpn servers would not have to be put on top), some placeholder rule would have to go into the user chain.

 

[martinr]

Now that you're getting to grips with iptables, I'm looking forwards to your writing up a beginner's guide to iptables

Hang on a minute: I've just seen I've been promoted to Senior Member. How did that happen? I'd hate people to start thinking I know what I'm talking about.

 

[Deleted member 27741]

Aha! Perhaps it is YOU who should be writing a beginner's guide, senior member! I really don't see an easy way around this iptables conundrum with the openvpnservers popping up on top of the INPUT chain. Perhaps the answer is to put blacklist iptables rules in Prerouting, but I get the impression that Prerouting is not a good place for that.

The whole iptables strategy for openvpn servers would have to be revisited.

 

[ColinTaylor]

As you say, it's a conundrum. One which I think is impossible to solve if you try and cover every eventuality.

The only way to guarantee that it will always work is to put it into the prerouting chain, but this is regarded as bad practice because every single bit of incoming traffic will hit that rule.

The alternatives are things like;

use a "sleep" command as you're currently doing,
put the rules in services-start,
or use openvpn-event to add and remove the rules when the VPN server starts and stops.

The 3 ideas above will probably work until you start changing other things in the GUI whereupon it'll all fall apart.

 

[Deleted member 27741]

I love code that covers every eventuality. It is a disease.

Using the sleep command suits me fine, as long as I don't stop/start the openvpn servers the table stays pristine!