rule in RAW table - PREROUTING
by vincix from LinuxQuestions.org on (#5120N)
I'm trying to understand all in all how wireguard adds its routing and how it makes use of RPDB and all that.
So I'd like to understanding the idea behind creating a DROP rule in the raw table in the PREROUTING chain. This is on the client-side.
Code:iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 61 packets, 9456 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- !wg0-client * 0.0.0.0/0 10.200.200.2 ADDRTYPE match src-type !LOCAL /* wg-quick(8) rule for wg0-client */
Chain OUTPUT (policy ACCEPT 406 packets, 40143 bytes)
pkts bytes target prot opt in out source destinationSo as I understand it, all packages that don't stem from the wireguard interface (wg0-client) and whose destination is 10.200.200.2 (the ip assigned on the VPN interface) and whose source IP is not locally assigned on any interface are DROPED.
Of course, the context is bigger, as I said, it's related to RPDB and also rules added in the mangle table. I'm not sure if this rule can be discussed somehow independently of the other rules.
An addition question would be, why doesn't OpenVPN do something similar, for instance? What's the advantage of such an approach?
For reference, this is how the mangle table looks like:
Code:iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 627 packets, 55910 bytes)
pkts bytes target prot opt in out source destination
77 5556 CONNMARK udp -- * * 0.0.0.0/0 0.0.0.0/0 /* wg-quick(8) rule for wg0-client */ CONNMARK restore
Chain INPUT (policy ACCEPT 627 packets, 55910 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1757 packets, 148K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1757 packets, 148K bytes)
pkts bytes target prot opt in out source destination
886 104K CONNMARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xca6c /* wg-quick(8) rule for wg0-client */ CONNMARK saveAnd the ip rules:
Code:ip rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default
So I'd like to understanding the idea behind creating a DROP rule in the raw table in the PREROUTING chain. This is on the client-side.
Code:iptables -t raw -vnL
Chain PREROUTING (policy ACCEPT 61 packets, 9456 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- !wg0-client * 0.0.0.0/0 10.200.200.2 ADDRTYPE match src-type !LOCAL /* wg-quick(8) rule for wg0-client */
Chain OUTPUT (policy ACCEPT 406 packets, 40143 bytes)
pkts bytes target prot opt in out source destinationSo as I understand it, all packages that don't stem from the wireguard interface (wg0-client) and whose destination is 10.200.200.2 (the ip assigned on the VPN interface) and whose source IP is not locally assigned on any interface are DROPED.
Of course, the context is bigger, as I said, it's related to RPDB and also rules added in the mangle table. I'm not sure if this rule can be discussed somehow independently of the other rules.
An addition question would be, why doesn't OpenVPN do something similar, for instance? What's the advantage of such an approach?
For reference, this is how the mangle table looks like:
Code:iptables -t mangle -vnL
Chain PREROUTING (policy ACCEPT 627 packets, 55910 bytes)
pkts bytes target prot opt in out source destination
77 5556 CONNMARK udp -- * * 0.0.0.0/0 0.0.0.0/0 /* wg-quick(8) rule for wg0-client */ CONNMARK restore
Chain INPUT (policy ACCEPT 627 packets, 55910 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1757 packets, 148K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1757 packets, 148K bytes)
pkts bytes target prot opt in out source destination
886 104K CONNMARK udp -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0xca6c /* wg-quick(8) rule for wg0-client */ CONNMARK saveAnd the ip rules:
Code:ip rule
0: from all lookup local
32764: from all lookup main suppress_prefixlength 0
32765: not from all fwmark 0xca6c lookup 51820
32766: from all lookup main
32767: from all lookup default