18

My server connects to some strange resources via OpenVPN, and every time the OpenVPN client starts up, an ovpn interface is brought up.

I want to expose only selected ports (say, MySQL) to this interface, so I have this rule in my iptables:

iptables -A INPUT -i ovpn -p tcp --dport 3306 -j ACCEPT

However, because the OpenVPN client can disconnect and reconnect without intervention, the link ID (as shown by ip link show ovpn) can change.

Will the above iptables rule continue to work after the link disappears and appears again (with a different ID)?

iBug
  • 1,308

2 Answers2

30

Yes it will continue to work, because iptables doesn't use the interface's index but is doing a string comparison with the current interface's name when evaluating the -i/--in-interface parameter. Actually it appears to be always evaluated, even when the parameter is not provided, but the inlined function is quite optimized.

By contrast, nftables (the current candidate successor to iptables) offers two different expressions: iifname: the direct equivalent of -i, comparing the current name, and iif comparing the interface index, which would cause a problem in your use case. When iptables is translated into nftables (either using iptables-translate or iptables-nft for the newer iptables-over-kernel-nftables API), -i gets translated to iifname as expected for compatibility.

A.B
  • 12,715
6

Yes, it will. Rules don't get deleted when referenced interface is deleted.

More on that, there are wildcard rules, for example you can specify "any pppX interface" with the match -i ppp+ or -o ppp+. There is no interface with that name at all, so it can't reference anything. But if there will be traffic involving ppp2 interface, such rule will immediately apply.

In general, it doesn't matter, was the rule created before interface appeared or after that.

Nikita Kipriyanov
  • 12,569