After upgrading to 384.10_2 recently, I took a look at the automatic firewall rules created for OpenVPN server. The short script on my router looks like this.
The first rule above looked interesting to me because the target ACCEPT is normally never used with the nat table. Also, the rule is inserted at the very top (i.e. first) of the PREROUTING chain, which is also somewhat unusual.
I did some digging and found the following paragraph in the Linux iptables Pocket Reference.
This explains what the rule is doing but not why it is being done.
Am I correct that the purpose of this rule is performance enhancement? In other words, bypassing NAT will speed up the VPN?
Code:
#!/bin/sh
iptables -t nat -I PREROUTING -p udp --dport 1194 -j ACCEPT
iptables -I INPUT -p udp --dport 1194 -j ACCEPT
iptables -I OVPN -i tun21 -d 192.168.9.0/24 -j ACCEPT
iptables -t mangle -I PREROUTING -i tun21 -j MARK --set-mark 0x01/0x7
I did some digging and found the following paragraph in the Linux iptables Pocket Reference.
If you want certain packets to bypass NAT, you can write
rules that match the packets you are interested in and jump
to the special target ACCEPT. You need to have such rules
before your other NAT rules.
iptables -t nat -i eth1 ... -j ACCEPT
This explains what the rule is doing but not why it is being done.
Am I correct that the purpose of this rule is performance enhancement? In other words, bypassing NAT will speed up the VPN?