[Frage] Block iodine server traffic to internal net: how?

[M66B]

I am trying to block traffic from the iodine server (device dns0) to the internal net (192.178.168.0/24) and the box itself. I have tried the following rules, but they appear not to block the internal traffic.

iptables -A FORWARD -i dns0 -o dsl -j ACCEPT
iptables -A FORWARD -i dns0 -j DROP

Even if I do:

iptables -I INPUT -i dns0 -j DROP
iptables -I OUTPUT -o dns0 -j DROP
iptables -I FORWARD -i dns0 -j DROP
iptables -I FORWARD -o dns0 -j DROP

traffic from the tunnel to the internal net is flowing.

Maybe I am overlooking something obvious? Any advice?

 

[M66B]

It appeared that if you make an iodine tunnel via your local net, that traffic to your local net is still routed through the existing adapter (wlan0 on my Android device). So, I indeed overlooked something obvious. There is no need to prevent this and the iodine server itself should be reachable anyway for the tunnel to work.

I have added the first set of rules to the iodine package description in a new section security. Of course you can always allow specific traffic from the tunnel to your local net, for example to SSH by using something like:

iptables -I FORWARD -i dns0 -p tcp --dport 22 -j ACCEPT

IMHO iodine with these firewall rules is as safe as dns2tcp now, with as advantages that you can use a Windows and Android client too.