Hi, On Fri, Oct 20, 2023 at 06:39:54PM -0400, Bo Berglund wrote: > I am worried that if the destination happens to be the gateway to the > internet, > like it would when browsing via the tunnel, will it be allowed???
iptables looks at the actual destination IP in the packet.
So if your gateway is, say, 192.168.1.1, on a 192.168.1.0/24 LAN, and
iptables blocks "packets to 192.168.1.0/24", the following will happen:
- a packet being sent with dest ip = 192.168.1.1 ("ping 192.168.1.1")
will be BLOCKED
- a packet being sent with dest ip = 8.8.8.8 ("google DNS") will be
PERMITTED, because "dest ip is not 192.168.1.1" - the fact that routing
will at some point sent it to a router that has a "next-hop IP" of
192.168.1.1 is not know to iptables (with such a simple rule) and not
relevant for the specific rule - "it matches on destination IP".
The IP header is always unchanged (except if NAT comes into the picture),
no matter what IP addresses the routers on the path happen to have.
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
