I am following this tutorial[1] to set up OpenVPN. It suggests
running both of the following commands:
sudo firewall-cmd --permanent --add-masquerade
sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first
command, 2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this
seems broad, no?
-A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT
Can somebody confirm the 2nd command above is redundant?
I was reading about firewalld and iptables and some people have
wrote[2] that the 1st command should already add a similar rule as
the 2nd one I guess without the specific subnet range. Why not use
only the 2nd command? What benefit is also running the 1st?
Regard to the -o eth1 I have multiple public IP address with each
has its own interface. How do I force to NAT and MASQUERADE the
openvpn subnet to the IP address (interface) of my choice? Is -o
eth1 detecting traffic that is already routed out interface eth1? If
yes, where does the routing happen? If no, can I change -o eth2 to
get what I want? (BTW openvpn only listening on port 1194 for IP
address thats on eth2.)
Other question: I read[3] "if you use default public zone for your
external facing network adapter then your loopback interface could
also be masqueraded" which I am concerned about. How do I test if
this is the case and what are the side effects?
I was reading to find that I might can use SNAT that would answer all
my questions: no worry about MASQUERADE problems and choose the
external IP address I want. Is that correct thinking?
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s
10.8.0.0/24 -j SNAT --to-source x.x.x.x
sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i
tun0 -j ACCEPT
I wanted to ask:
* Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?
* Is FORWARD rule too broad, are there risks? Should I add any of the
following or are they redundant?
-s 10.8.0.0/24
-o eth1
-m state --state NEW
-------------------------------------------------
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's
hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!