[ovs-discuss] OVS + OpenVPN + firewall
Klaus Hochlehnert
Mailings at kh-dev.de
Fri Dec 6 18:31:07 UTC 2013
Just in case anyone else is interested. After some testing it works for me...
# Delete old rules for source ip
ovs-ofctl del-flows br0 "in_port=51,table=0,ip,vlan_tci=0x0000,nw_src=10.134.38.194/32"
# Default action for source ip
ovs-ofctl add-flow br0 "in_port=51,table=0,ip,vlan_tci=0x0000,idle_timeout=0,nw_src=10.134.38.194/32,priority=1,actions=drop"
# Allow ping, DNS and RDP
ovs-ofctl add-flow br0 "in_port=51,table=0,ip,vlan_tci=0x0000,idle_timeout=0,nw_src=10.134.38.194/32,priority=2,nw_proto=1,actions=normal"
ovs-ofctl add-flow br0 "in_port=51,table=0,udp,vlan_tci=0x0000,idle_timeout=0,nw_src=10.134.38.194/32,priority=2,tp_dst=53,actions=normal"
ovs-ofctl add-flow br0 "in_port=51,table=0,tcp,vlan_tci=0x0000,idle_timeout=0,nw_src=10.134.38.194/32,priority=2,tp_dst=3389,actions=normal"
You need to change to in_port and nw_src with your real values.
Also when openvpn isn't running as root you must use sudo without password.
Regards, Klaus
-----Original Message-----
From: Ben Pfaff [mailto:blp at nicira.com]
Sent: Friday, December 06, 2013 6:13 PM
To: Klaus Hochlehnert
Cc: 'discuss at openvswitch.org'
Subject: Re: [ovs-discuss] OVS + OpenVPN + firewall
ovs-ofctl(8)?
On Fri, Dec 06, 2013 at 04:52:26PM +0000, Klaus Hochlehnert wrote:
> Never used this before.
> Maybe any hint (link, ...)?
>
> -----Original Message-----
> From: Ben Pfaff [mailto:blp at nicira.com]
> Sent: Friday, December 06, 2013 5:43 PM
> To: Klaus Hochlehnert
> Cc: 'discuss at openvswitch.org'
> Subject: Re: [ovs-discuss] OVS + OpenVPN + firewall
>
> On Fri, Dec 06, 2013 at 04:32:44PM +0000, Klaus Hochlehnert wrote:
> > currently I'm using OVS together with OpenVPN.
> > Now I want to restrict access of some (not all) VPN clients to DNS and RDP.
> >
> > I've seen that iptables is not working.
> > Is here any other way to apply firewall rules?
>
> OpenFlow?
>
More information about the discuss
mailing list