On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter <shiva at
sewingwitch.com>
wrote:
> How do I insert the iptables rule below using firewalld?
>
> I'm moving up from CentOS 6 to 7 on an office gateway and I'm
trying to
> get OpenVPN working to allow home workers to access PCs at the office.
I've
> got it all working but only by manually inserting an ACCEPT rule in the
> FORWARD iptables chain:
>
> iptables -I FORWARD 3 -i tun+ -j ACCEPT
>
> This rule was extracted from my iptables firewall under CentOS6. The 3
> puts it after the accepts for established connections and loopback
> connections, but before any firewalld sub-chains. With this I can connect
> to an internal Windows 10 system with Remote Desktop.
>
> How can I inject this rule using firewalld, either as a direct rule or as
> some more firewalld-approved kind of rule?
>
>
Hello,
in case your need is not covered by the "--add-service" and/or the
"--add-port" you can still use a direct rule for it.
I think it should be something like this to test:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
Manual page and some examples with
man firewalld.direct
The "iptables like" rule will be added into the pre-built chain named
FORWARD_direct
The 0 above means it is put at top of FORWARD_direct chain. In your example
appears "3" and it is not clear what are lines 1 and 2.
With iptables -L command you will see:
# iptables -v -L FORWARD_direct
Chain FORWARD_direct (1 references)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- tun+ any anywhere
anywhere
#
With firewall-cmd you can see with
# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -i tun+ -j ACCEPT
#
If it works ok as expected, you can make it permanent with
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+
-j ACCEPT
firewall-cmd --reload
HIH digging into,
Gianluca