FirewallD Issue
Hello everybody.
Recently i moved external interface to zone “external” on my home server/router. And something strange is hapening. From my router
(chamber, CentOS7) everything is fine:
[root@chamber ~]# firewall-cmd –list-all home (default, active)
interfaces: enp3s0 tun0 virbr0
sources:
services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs samba samba-client VNC-server
ports: 143/tcp 26666/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@chamber ~]# firewall-cmd –list-all –zone=external external (active)
interfaces: enp1s0
sources:
services:
ports: 26666/tcp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
[root@chamber ~]# nmap 10.0.49.14
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 11:57 CEST
Nmap scan report for 10.0.49.14
Host is up (0.00045s latency). Not shown: 997 closed ports PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https MAC Address: 52:54:00:D6:6D:4A (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
But from host in another location (connected through VPN):
moonwolf ~ nmap 10.0.49.14
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds moonwolf ~ nmap 10.0.49.14 -Pn -p22
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST
Nmap scan report for svn.karakkhaz.dwarfs (10.0.49.14)
Host is up (0.015s latency). PORT STATE SERVICE
22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
moonwolf ~ ping 10.0.49.14
PING 10.0.49.14 (10.0.49.14) 56(84) bytes of data.
64 bytes from 10.0.49.14: icmp_seq=1 ttl=62 time=9.45 ms
64 bytes from 10.0.49.14: icmp_seq=2 ttl=62 time=26.0 ms
^C
— 10.0.49.14 ping statistics —
2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.459/17.754/26.050/8.296 ms
What could cause this behavior? Before interface move everything was working as expected.
—
Over And Out MoonWolf
6 thoughts on - FirewallD Issue
What host serves the VPN? If it’s another host, how is that host connected to the router? If it’s “chamber,” what type of VPN is it?
It’s OpenVPN on chamber.
I’ve just noticed that it’s similiar from home to the other location. To clear things: 10.0.49.0/26 it’s my home network
10.0.32.0/22 is one of VLANs in work (“the other location”).
From chamber:
[root@chamber ~]# nmap 10.0.32.7
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST
Nmap scan report for 10.0.32.7
Host is up (0.053s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
25/tcp open SMTP
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
143/tcp open imap
389/tcp open ldap
443/tcp open https
993/tcp open imaps
995/tcp open pop3s
2049/tcp open nfs
5666/tcp open nrpe
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
From other host in home network:
[moonwolf@kazad ~]$ nmap 10.0.32.7
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 22:12 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds
When i move enp1s0 (external interface) to “home” zone, everything works fine.
My observations:
* When enp1s0 and tun0 (VPN interface) are both in “external” zone i’m able to scan ports of work’s network from home. But not the opposite:
[root@palpatine ~]# nmap 10.0.49.16
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-21 22:26 CEST
Nmap scan report for 10.0.49.16
Host is up (0.039s latency). All 1000 scanned ports on 10.0.49.16 are filtered
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds
* When enp1s0 is in “external” zone (as only interface), and tun0 is in
“home” zone i can’t scan ports in home nor work.
* When all interfaces are in “home” zone i can scan ports everywhere.
It’s a bit chaotic, i know. Sorry about that.
What port is it using? I don’t see the standard port listed in your firewalld rules in either zone.
Also, you probably should specify tun+ instead of tun0, even if you think there will only be one tunnel up at any given time.
1194/udp. I added service openvpn and port 1194/udp (just to be sure) to both zones – no change.
[root@chamber openvpn]# firewall-cmd –list-all home (default, active)
interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1
sources:
services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs openvpn samba samba-client VNC-server
ports: 143/tcp 26666/tcp 1194/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@chamber openvpn]# firewall-cmd –list-all –zone=external external (active)
interfaces: enp1s0
sources:
services: openvpn
ports: 26666/tcp 1194/udp
masquerade: yes
forward-ports:
icmp-blocks:
rich rules:
Specify where?
Despite the fact than i can’t scan their ports, i’m able to ping those hosts.
Maybe it’s not firewalld related? I can scan ports from chamber (home router). I’ll try tcpdump maybe, to see what is going on with packets?
Hi Marcin, Please check your openvpn config file of Port number then check your firewalld config on the same port allowed or not.
firewall-cmd –zone=home –add-interface=tun+
Beyond that, I can’t really tell what firewalld is doing with forwarded traffic from the output you’ve given, just the incoming traffic. It might be more clear to just post the output of “iptables -L -vn”
somewhere. https://paste.fedoraproject.org/ maybe