Openvpn And Firewalld

Home » CentOS » Openvpn And Firewalld
CentOS 3 Comments

I am trying to build a new openvpn server based on CentOS7. Everything is working fine as long as I disable firewalld. With firewalld enabled, I can connect to the vpn and ping the machines on the network, but I am unable to SSH to them.

What I had on my old server with iptables was two simple rules:

-A RH-Firewall-1-INPUT -s /255.255.0.0 -d /255.255.0.0
-j ACCEPT
-A RH-Firewall-1-INPUT -s /255.255.0.0 -d /255.255.0.0
-j ACCEPT

This allowed all traffic to flow between my vpn subnet and the local network. How can I duplicate this behavior with firewalld?

I even tried using the –direct option to put in these same rules without success. Although I may not have done it quite right

3 thoughts on - Openvpn And Firewalld

  • Replying to myself here, I finally figured out how to do it with direct rules. Firewalld on CentOS 7 defaults to a drop rule for the FORWARD
    chain which my previous server didn’t have. So I needed to put the rules in the FORWARD chain rather than the INPUT chain.

    The rules may not have been necessary on the old server since FORWARD
    defaulted to accept, but they would have worked anyway because the RH-Firewall-1-INPUT chain was referenced by both the INPUT and FORWARD
    chains.

    I’m still trying to sort out how to do this using firewalld’s normal or rich rules. So far, no success. I’m not sure how to affect the FORWARD
    chain with firewalld.

    Right now, I have:

    # firewall-cmd –direct –get-all-rules ipv4 filter FORWARD 0 -s /255.255.0.0 -d /255.255.0.0
    -j ACCEPT
    ipv4 filter FORWARD 0 -s     /255.255.0.0 -d /255.255.0.0
    -j ACCEPT

    So how can I duplicate this behavior without using direct rules?

  • This does not make sense to me. The INPUT, OUTPUT and FORWARD chains are swimlanes. A packet starts out, following PREROUTING, in exactly one of these three and never leaves it. It can JUMP to shared chains but it will always return to its original chain until ACCEPTed, DROPped or REJECTed.

  • I was a bit confused when I originally posted. This is the only machine that does forwarding and I haven’t touched the iptables setup on it in years.

    The original machine had a shared chain between INPUT and FORWARD with rules that allowed the traffic. I had forgotten how the INPUT and FORWARD chains worked and didn’t realize at first that this was a shared chain, so I was putting the rules in the INPUT chain on the new box, which (of course) didn’t work.

    The other thing that caught me was that the new box has a reject rule at the end of the FORWARD chain that I didn’t notice until I did an iptables-save and combed through the rules. Is there a better way to get an overview of ALL the rules with firewalld? None of the firewall-cmd options that I can find will show me that there is a reject rule on the FORWARD chain.