How do I insert the iptables rule below using firewalld? I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to get OpenVPN working to allow home workers to access PCs at the office. I've got it all working but only by manually inserting an ACCEPT rule in the FORWARD iptables chain: iptables -I FORWARD 3 -i tun+ -j ACCEPT This rule was extracted from my iptables firewall under CentOS6. The 3 puts it after the accepts for established connections and loopback connections, but before any firewalld sub-chains. With this I can connect to an internal Windows 10 system with Remote Desktop. How can I inject this rule using firewalld, either as a direct rule or as some more firewalld-approved kind of rule?
W dniu 29.12.2017 o?10:32, Kenneth Porter pisze:> How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying > to get OpenVPN working to allow home workers to access PCs at the > office. I've got it all working but only by manually inserting an > ACCEPT rule in the FORWARD iptables chain: > > iptables -I FORWARD 3 -i tun+ -j ACCEPT > > This rule was extracted from my iptables firewall under CentOS6. The 3 > puts it after the accepts for established connections and loopback > connections, but before any firewalld sub-chains. With this I can > connect to an internal Windows 10 system with Remote Desktop. > > How can I inject this rule using firewalld, either as a direct rule or > as some more firewalld-approved kind of rule?Hi, firstly check which zone are your interface in : bash> firewall-cmd --get-active-zones then all you have to do is add a service to the firewall firewall-cmd --zone=<INSERT YOUR ZONE> --add-service=openvpn --permanent assuming that your Openvpn is running on standard port 1194/tcp|udp, If not then modify firewall-cmd rule and add your port/proto e.g. firewall-cmd --zone=<INSERT YOUR ZONE> --add-port=11193/tcp I hope this will help you, -- Pozdrawiam / Best regards Wojciech ?ysiak
On 12/29/2017 3:59 AM, Wojciech ?ysiak wrote:> firstly check which zone are your interface in : > > bash> firewall-cmd --get-active-zones > > then all you have to do is add a service to the firewall > > firewall-cmd --zone=<INSERT YOUR ZONE> --add-service=openvpn --permanent > > assuming that your Openvpn is running on standard port 1194/tcp|udp, > If not then modify firewall-cmd rule and add your port/proto > > e.g. > firewall-cmd --zone=<INSERT YOUR ZONE> --add-port=11193/tcpThat opens the physical Ethernet interface to allow the raw SSL connection from the client into the server. It doesn't open a connection for the tunnel (tun0 interface) that's been created by the OpenVPN service to forward packets to the internal LAN zone. I tried adding the tun0 interface to the internal zone and firewall-cmd told me tun0 was managed by NetworkManager. After that it didn't show tun0 as a member of any zone. #? firewall-cmd --zone=internal --add-interface=tun0 The interface is under control of NetworkManager, setting zone to 'internal'. success # firewall-cmd --list-all-zones (long list of zones, none of which have tun0 in their interfaces field)
On Fri, December 29, 2017 3:32 am, Kenneth Porter wrote:> How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to > get > OpenVPN working to allow home workers to access PCs at the office. I've > got > it all working but only by manually inserting an ACCEPT rule in the > FORWARD > iptables chain: > > iptables -I FORWARD 3 -i tun+ -j ACCEPT > > This rule was extracted from my iptables firewall under CentOS6. The 3 > puts > it after the accepts for established connections and loopback connections, > but before any firewalld sub-chains. With this I can connect to an > internal > Windows 10 system with Remote Desktop. > > How can I inject this rule using firewalld, either as a direct rule or as > some more firewalld-approved kind of rule?This is not and answer to your questions, still I will mention it anyway. I use pfsense for the same, and it installs seamlessly, is configured easily (through web interface), and works reliably. Also: it is really very lightweight on hardware demands and is quite small footprint. It is based on FreeBSD. If I were replacing/upgrading any firewall/gateway/... VPN... I will definite consider pfsense (add to my scope of candfidates): https://www.pfsense.org/ I hope, this helps. Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
Le 29/12/2017 ? 10:32, Kenneth Porter a ?crit?:> How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying > to get OpenVPN working to allow home workers to access PCs at the > office. I've got it all working but only by manually inserting an > ACCEPT rule in the FORWARD iptables chain: > > iptables -I FORWARD 3 -i tun+ -j ACCEPT > > This rule was extracted from my iptables firewall under CentOS6. The 3 > puts it after the accepts for established connections and loopback > connections, but before any firewalld sub-chains. With this I can > connect to an internal Windows 10 system with Remote Desktop. > > How can I inject this rule using firewalld, either as a direct rule or > as some more firewalld-approved kind of rule?You can see perhaps this link, to add opnvpn service to firewalld : https://unix.stackexchange.com/questions/149144/configuring-openvpn-to-use-firewalld-instead-of-iptables-on-centos-7 Alain -- Administrateur Syst?me/R?seau C2N (ex LPN) Centre de Nanosciences et Nanotechnologies (UMR 9001) Site de Marcoussis, Data IV, route de Nozay - 91460 Marcoussis Tel : 01-69-63-61-34
--On Friday, December 29, 2017 5:41 PM +0100 Alain P?an <alain.pean at c2n.upsaclay.fr> wrote:> https://unix.stackexchange.com/questions/149144/configuring-openvpn-to-us > e-firewalld-instead-of-iptables-on-centos-7Alas, this doesn't seem to allow forwarding from the tun0 device. That's the setup I had that failed. I needed the direct rule to allow forwarding from tun0 to get packets delivered to PCs on my LAN. Without that, the remote PC can only access the VPN server itself and not the internal PCs behind it. It's also necessary for the LAN PCs to know that the addresses in the VPN must be routed through this gateway, but that's a given since this is also the Internet gateway for the LAN. Their default route takes care of that. If you run a separate VPN concentrator, you may need to advertise a route on the LAN (via DHCP) or add a route on your Internet gateway to the separate concentrator for your VPN netblock so the return packets find their way back to the tun device. My OpenVPN server config includes a line to push a route to the remote clients for the office's LAN net block: push "route 192.168.20.0 255.255.255.0"