0

I'm setting up a firewall for a connected device running Linux. It has a wired/wireless interface to connect to the internet in general and to open a VPN tunnel to an external server. For security reasons, outgoing traffic should be firewalled as well.

The goal: The network interface should be firewalled to allow only some traffic that originates from this machine, i.e. it should isolate the VPN from the actual network interface. A user in the same VPN should not be able to use this machine as a gateway to other external services. As far as I understand, this can be realized by setting the FROM part of the firewall rule to the local interface address.

The question: How can I specify the FROM address to refer to the local interface if the actual address is obtained via DHCP?

Thank you!

Best regards, Philipp

Philipp Burch
  • 111
  • 1
  • Depending on your firewall implementation (which you fail to mention), you usually can set `SOURCE` and `DESTINATION` either by IP or by interface, e.g. `eth1`, `tun0`, etc. – Lenniey Jan 23 '20 at 12:33
  • I use UFW, but that should not matter too much. What address do I need to set as SOURCE for outgoing packets if the interface/device address is obtained using DHCP? – Philipp Burch Jan 23 '20 at 16:18
  • Just use the interface itself instead of its IP in your rule. – Lenniey Jan 23 '20 at 16:36
  • Seems like I'm misunderstanding something. Guess I need to do some more tests, maybe it "just works" and I'm only thinking too far. Thanks for the hint. – Philipp Burch Jan 23 '20 at 19:48
  • Instead of `-s ` in the iptables rule (**ufw** let's you add them in /etc/ufw/user.rules`) use `-i `. – Piotr P. Karwasz Jan 23 '20 at 21:41

0 Answers0