FirewallD/OpenVPN

asked 2015-07-29 04:52:20 -0500

_KLblK gravatar image

Hi everyone,

We have an Open VPN server and now I try to configure firewallD rules to work properly on it. The goal is to allow only specified incoming and outgoing connections. I don't want to use direct rules, just zones and services. I tried to add rich-rules to zones with no luck so far.

So here is the situation:

"eth0" interface (10.27.0.0/16), "tun0" OpenVPN-interface (10.60.0.0/24).

I create two new zones, let's say "user_home" zone for 10.27.0.0/16 and "user_work" zone for 10.60.0.0/24. Then I add sources and/or interfaces respectively (I tried both variants, and even combined). After it I create services - protocols/port combinations and add these services to my newly created zones.

Now, when I try to access a host in 10.60.0.0/24 from 10.27.0.0/16 the packet will not go futher than eth0-interface. It seems that packets are droped at tun0-interface and I don't know why.

One interesting thing: if I enable masquerading in my "user_work" zone all the packets reach their destination. But, unfortunately, now my filtering (I mean, allowing only specified packets/ports) doesn't work. They reach the destination all the same, no matter what services are added or not to the zone.

Please, help me to figure it out.

If you need any addintional information, just let me know.

Thank you in advance.

edit retag flag offensive close merge delete

Comments

My networking knowledge is kindergarten. Let me try anyway.

You apply masquerading (NAT) and it works. That means the interface IP may be incorrect. I guess you created a switch instead of a bridge: the interfaces are not interactive.

NuuN gravatar imageNuuN ( 2015-07-30 10:30:16 -0500 )edit