|
|
hello ok thank u for that information. but i think the problem with ebtables will be that client-to-client traffic is blocked and ebtables cannot forward (after passing the filter rules). or am i wrong? the problem is that openvpn does this client-to-client forwarding inside the openvpn process. such client-to-client traffic wont leave the tap0 (where the ebtables is applied) interface. right? but anywasys ill have a look at ebtables. thanks @janjust i cannot code C :( shame on me :( another idea was, to start an openvpn process for each client and then i can filter / bridge between the clients with brctl and ebtables. as u maybe know i need the following: about 5-10 "groups" of clients. all clients in the same group should "see" each other. clients from group1 and group2 a.e. must not see each other. is it possible to run about 10 openvpn instances with about 100 clients in TAP mode? thanks and kind regards marco Prasanna Krishnamoorthy schrieb: > On Jan 4, 2008 6:06 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote: > >> Hi Marco, >> >> please explain: >> >> "with Client-to-client deactivated all clients can only see the server" >> >> that's exactly what it is supposed to do... this means all >> client-to-client traffic IS blocked. Isn't that what you wanted? >> I agree, filtering client-to-client traffic is not possible (either in >> tun or tap mode) but blocking is definitely possible. Note that blocking >> client-to-client traffic will and should also imply that all >> broadcast/multicast traffic is blocked. That's the way it is supposed to >> work ;-) >> > > This should be possible. What you need is not iptables, but ebtables! > Iptables as the name suggests, will allow you to filter only IP > packets :). Ebtables on the other hand is built for bridging. I > suggest you set client-to-client off, and use shorewall/ebtables to > setup the filtering on the appropriate interface(s). > > http://ebtables.sourceforge.net/ > > Prasanna > > ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-01/msg00044.html on line 245 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-01/msg00044.html on line 245 |