[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Filter on tap device


  • Subject: Re: [Openvpn-users] Filter on tap device
  • From: "Prasanna Krishnamoorthy" <prasanna79@xxxxxxxxx>
  • Date: Fri, 4 Jan 2008 09:42:58 +0530

On Jan 4, 2008 6:06 AM, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
> Hi Marco,
>
> please explain:
>
> "with Client-to-client deactivated all clients can only see the server"
>
> that's exactly what it is supposed to do... this means all
> client-to-client traffic IS blocked. Isn't that what you wanted?
> I agree, filtering client-to-client traffic is not possible (either in
> tun or tap mode) but blocking is definitely possible. Note that blocking
> client-to-client traffic will and should also imply that all
> broadcast/multicast traffic is blocked. That's the way it is supposed to
> work ;-)

This should be possible. What you need is not iptables, but ebtables!
Iptables as the name suggests, will allow you to filter only IP
packets :). Ebtables on the other hand is built for bridging. I
suggest you set client-to-client off, and use shorewall/ebtables to
setup the filtering on the appropriate interface(s).

http://ebtables.sourceforge.net/

Prasanna
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users