I am following this tutorial[1] to set up OpenVPN. It suggests running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I was reading about firewalld and iptables and some people have wrote[2] that the 1st command should already add a similar rule as the 2nd one I guess without the specific subnet range. Why not use only the 2nd command? What benefit is also running the 1st?
Regard to the -o eth1 I have multiple public IP address with each has its own interface. How do I force to NAT and MASQUERADE the openvpn subnet to the IP address (interface) of my choice? Is -o eth1 detecting traffic that is already routed out interface eth1? If yes, where does the routing happen? If no, can I change -o eth2 to get what I want? (BTW openvpn only listening on port 1194 for IP address thats on eth2.)
Other question: I read[3] "if you use default public zone for your external facing network adapter then your loopback interface could also be masqueraded" which I am concerned about. How do I test if this is the case and what are the side effects?
[1] https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-... [2] https://www.reddit.com/r/linuxadmin/comments/7iom6e/what_does_firewallcmd_ad... [3] https://unix.stackexchange.com/a/149193
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
I am following this tutorial[1] to set up OpenVPN. It suggests running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first command, 2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this seems broad, no? -A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT
Can somebody confirm the 2nd command above is redundant?
I was reading about firewalld and iptables and some people have wrote[2] that the 1st command should already add a similar rule as the 2nd one I guess without the specific subnet range. Why not use only the 2nd command? What benefit is also running the 1st?
Regard to the -o eth1 I have multiple public IP address with each has its own interface. How do I force to NAT and MASQUERADE the openvpn subnet to the IP address (interface) of my choice? Is -o eth1 detecting traffic that is already routed out interface eth1? If yes, where does the routing happen? If no, can I change -o eth2 to get what I want? (BTW openvpn only listening on port 1194 for IP address thats on eth2.)
Other question: I read[3] "if you use default public zone for your external facing network adapter then your loopback interface could also be masqueraded" which I am concerned about. How do I test if this is the case and what are the side effects?
I was reading to find that I might can use SNAT that would answer all my questions: no worry about MASQUERADE problems and choose the external IP address I want. Is that correct thinking?
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 -j ACCEPT
I wanted to ask: * Is it important to add "-o eth1" to SNAT command? Is it OK to leave away? * Is FORWARD rule too broad, are there risks? Should I add any of the following or are they redundant? -s 10.8.0.0/24 -o eth1 -m state --state NEW
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Sat, Apr 14, 2018 at 11:17:00AM +0000, alen.alen@powdermail.com wrote:
I am following this tutorial[1] to set up OpenVPN. It suggests running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first command, 2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this seems broad, no?
It should be limited by the output interface.
-A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT
Can somebody confirm the 2nd command above is redundant?
Yes, redundant. firewalld already adds something similar.
# iptables -t nat -nvL [..] Chain POSTROUTING_ZONES (1 references) pkts bytes target prot opt in out source destination 0 0 POST_public all -- * mgmt0 0.0.0.0/0 0.0.0.0/0 [goto] [..] Chain POST_public_allow (1 references) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !lo 0.0.0.0/0 0.0.0.0/0
I was reading about firewalld and iptables and some people have wrote[2] that the 1st command should already add a similar rule as the 2nd one I guess without the specific subnet range. Why not use only the 2nd command? What benefit is also running the 1st?
Regard to the -o eth1 I have multiple public IP address with each has its own interface. How do I force to NAT and MASQUERADE the openvpn subnet to the IP address (interface) of my choice? Is -o eth1 detecting traffic that is already routed out interface eth1? If yes, where does the routing happen? If no, can I change -o eth2 to get what I want? (BTW openvpn only listening on port 1194 for IP address thats on eth2.)
I don't know how iptables selects which IP to use. Nor could I find any documentation.
Other question: I read[3] "if you use default public zone for your external facing network adapter then your loopback interface could also be masqueraded" which I am concerned about. How do I test if this is the case and what are the side effects?
See the iptables output above. It explicitly omits lo.
I was reading to find that I might can use SNAT that would answer all my questions: no worry about MASQUERADE problems and choose the external IP address I want. Is that correct thinking?
masquerade is typically for situations where your IP address may change. If yours doesn't change, then regular SNAT may be better for you.
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 -j ACCEPT
I wanted to ask:
- Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?
It's probably a good idea. Otherwise the SNAT may accidentally apply to internal traffic.
- Is FORWARD rule too broad, are there risks? Should I add any of the
following or are they redundant? -s 10.8.0.0/24 -o eth1 -m state --state NEW
I think it would be fine to add these. The risk depends on your network setup.
Good luck. Eric.
Hi Eric thank you for helping me!
I am following this tutorial[1] to set up OpenVPN. It suggests running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first command, 2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this seems broad, no?
It should be limited by the output interface.
But the add-masquerade command does not accept interface argument right? I think I can narrow it by managing zones, but the command would appear more useful to me if it had a interface argument. Still, I don't want to masquerade any traffic except that which comes from the openvpn subnet and leave everything else alone. So to me even limited by zone or interface, add-masquerade is unecessarily broad so I forced to consider a passthru to tighten it up or another solution like SNAT. Would love to see a more powerful add-masquerade command
Regard to the -o eth1 I have multiple public IP address with each has its own interface. How do I force to NAT and MASQUERADE the openvpn subnet to the IP address (interface) of my choice? Is -o eth1 detecting traffic that is already routed out interface eth1? If yes, where does the routing happen? If no, can I change -o eth2 to get what I want? (BTW openvpn only listening on port 1194 for IP address thats on eth2.)
I don't know how iptables selects which IP to use. Nor could I find any documentation.
Hmm it must require a PREROUTING rule or something else. Using SNAT helps me avoid getting too convoluted.
I was reading to find that I might can use SNAT that would answer all my questions: no worry about MASQUERADE problems and choose the external IP address I want. Is that correct thinking?
masquerade is typically for situations where your IP address may change. If yours doesn't change, then regular SNAT may be better for you.
OK
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 -j ACCEPT
I wanted to ask:
- Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?
It's probably a good idea. Otherwise the SNAT may accidentally apply to internal traffic.
I haven't seen a problem with that, but maybe I don't understand you. I got on the VPN and requested a web resource from a webserver running on the same machine and the IP is reflected as that of the VPN. Can you help sketch the details of the potential problem you mention?
- Is FORWARD rule too broad, are there risks? Should I add any of the
following or are they redundant? -s 10.8.0.0/24 -o eth1 -m state --state NEW
I think it would be fine to add these. The risk depends on your network setup.
In general is there any impact on performance to add more rules that ultimately make no difference to the result? Or is it so insignificant that adding more specificity can ensure no unwanted side effects of rules that are too loose?
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands! $24.95 ONETIME Lifetime accounts with Privacy Features! 15GB disk! No bandwidth quotas! Commercial and Bulk Mail Options!
On Wed, Apr 18, 2018 at 07:25:30PM +0000, alen.alen@powdermail.com wrote:
Hi Eric thank you for helping me!
I am following this tutorial[1] to set up OpenVPN. It suggests running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first command, 2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this seems broad, no?
It should be limited by the output interface.
But the add-masquerade command does not accept interface argument right? I
Correct. The zone is what causes it to be limited to the outgoing interface. See "iptables -nvL" output.
think I can narrow it by managing zones, but the command would appear more useful to me if it had a interface argument. Still, I don't want to
No. zones are what defines that mapping.
masquerade any traffic except that which comes from the openvpn subnet and leave everything else alone. So to me even limited by zone or interface, add-masquerade is unecessarily broad so I forced to consider a passthru to tighten it up or another solution like SNAT. Would love to see a more powerful add-masquerade command
Rich rules are probably what you want. See this github issue:
https://github.com/firewalld/firewalld/issues/80
I suggested a fix, would be great if you could try it and verify it works for your case.
Regard to the -o eth1 I have multiple public IP address with each has its own interface. How do I force to NAT and MASQUERADE the openvpn subnet to the IP address (interface) of my choice? Is -o eth1 detecting traffic that is already routed out interface eth1? If yes, where does the routing happen? If no, can I change -o eth2 to get what I want? (BTW openvpn only listening on port 1194 for IP address thats on eth2.)
I don't know how iptables selects which IP to use. Nor could I find any documentation.
Hmm it must require a PREROUTING rule or something else. Using SNAT helps me avoid getting too convoluted.
I was reading to find that I might can use SNAT that would answer all my questions: no worry about MASQUERADE problems and choose the external IP address I want. Is that correct thinking?
masquerade is typically for situations where your IP address may change. If yours doesn't change, then regular SNAT may be better for you.
OK
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 -j ACCEPT
I wanted to ask:
- Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?
It's probably a good idea. Otherwise the SNAT may accidentally apply to internal traffic.
I haven't seen a problem with that, but maybe I don't understand you. I got on the VPN and requested a web resource from a webserver running on the same machine and the IP is reflected as that of the VPN. Can you help sketch the details of the potential problem you mention?
- Is FORWARD rule too broad, are there risks? Should I add any of the
following or are they redundant? -s 10.8.0.0/24 -o eth1 -m state --state NEW
I think it would be fine to add these. The risk depends on your network setup.
In general is there any impact on performance to add more rules that ultimately make no difference to the result? Or is it so insignificant that adding more specificity can ensure no unwanted side effects of rules that are too loose?
I don't have an answer for that.
firewalld-users@lists.fedorahosted.org