Question about iptables firewall command

1 post / 0 new
FlashGordon649's picture
Question about iptables firewall command

I am posting this here because I couldn't make an account with

I am using firewall commands that I found on a forum to ensure that all traffic passing through my router is being sent out over OpenVPN. It seems to work okay after some testing. In my firewall rules there are 5 iptable commands, one per line. I understand the first three lines but not the fourth and fifth lines. They are as follows:

iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
iptables -I FORWARD -i br0 -o vlan2 -j DROP
iptables -I INPUT -i tun0 -j REJECT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

I have read the iptables man page and I believe I understand the first 3 commands. The first command I believe forwards all traffic from br0 to tun0 and the second command does the same thing in reverse. This should ensure all traffic goes out over the VPN assuming br0 is my ethernet ports and wifi connections. The third command seems to DROP or reject any traffic from br0 to vlan2 assuming vlan2 is my WAN. This should prevent any traffic from accidentally going out using my real ip address.

I do not understand line 4 and 5. It looks like 4 is rejecting input from tun0, but I don't really know what that means or why it keeps me safe. As for line 5, it seems like MASQUERADE has something to do with ip spoofing using the nat table, but I cannot understand really what is happening here or why it also keeps me safe. Can someone explain these two commands to me in terms I can understand? There is only so much I can understand from the syntax.