Am Donnerstag, 19. März 2020, 20:06:19 CET schrieb Eric Garver:
I'm not certain what you're trying to accomplish.
Sorry, Eric, for my deficits in expressing my needs.
Are you trying to allow SSH access to the OpenVPN server?
This is working fine.
Your rich rule is using port 8080. Are you trying to forward 8080 to
ssh
(22)?
Hrmpf. I've tried to eliminate all disturbing elements, but failed.
Yes, a service on port 8080 needs be allowed as well, but having it working
for ssh is enough to get the rest working in a similar fashion.
It should have read:
rule family="ipv4" source address="10.20.30.0/24" destination
address="192.168.78.0/24" port port="22" protocol="tcp"
accept
I've tried port forwarding and other things, but ultimately, I would like to
allow some services coming from the VPN (tun0/10.20.30.0/24) to be routed to
the local network (and back).
Are you trying to allow SSH access to a machine on the internal
network
that in behind the OpenVPN server?
Yes, exactly. Routing is activated, but there's some interference of routing,
masquerading and iptables rules, I'm unable to grok completely..
Thanks,
Pete
On Thu, Mar 19, 2020 at 07:40:13PM +0100, Hans-Peter Jansen wrote:
> Hi,
>
> I try to tighten a OpenVPN setup.
>
> It should result in a separate zone for tun0 (10.20.30.0/24), that allows
> ssh on the local net, which is in the external zone otherwise
> (192.168.78.0/24).
> $ firewall-cmd --info-zone=external
> external (active)
>
> target: DROP
> icmp-block-inversion: no
> interfaces: eth0
> sources:
> services: dhcpv6-client http https ssh
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
>
>
> $ firewall-cmd --info-zone=internal
> internal (active)
>
> target: default
> icmp-block-inversion: no
> interfaces: tun0
> sources:
> services: ssh
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
>
> rule family="ipv4" source address="10.20.30.0/24"
destination
>
> address="192.168.78.0/24" port port="8080"
protocol="tcp" accept
>
> Hence, it should allow routing ssh requests to eth0.
>
> All experiments result in IN_external_DROPs, because this is defined as
> external, I guess.
>
> Yes, I know, this setup is rather improper. It's a transient state on the
> way
to proper separate internal and external network interfaces.
>
> Any idea, how to archive this?
>
> Thanks in advance,
> Pete
>
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> firewalld-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: