On Wed, Apr 18, 2018 at 07:25:30PM +0000, alen.alen(a)powdermail.com wrote:
Hi Eric thank you for helping me!
> > > I am following this tutorial[1] to set up OpenVPN. It suggests running
> > > both of the following commands:
> > >
> > > sudo firewall-cmd --permanent --add-masquerade
> > > sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
> > > POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
> >
> > I tested to find that openvpn tunnel is working ONLY if I use first command,
> > 2nd command having no effect.
> >
> > I found reason is --add-masquerade also adds a FORWARD rule, this seems
> > broad, no?
>
> It should be limited by the output interface.
But the add-masquerade command does not accept interface argument right? I
Correct. The zone is what causes it to be limited to the outgoing
interface.
See "iptables -nvL" output.
think I can narrow it by managing zones, but the command would appear
more
useful to me if it had a interface argument. Still, I don't want to
No. zones are what defines that mapping.
masquerade any traffic except that which comes from the openvpn
subnet and
leave everything else alone. So to me even limited by zone or interface,
add-masquerade is unecessarily broad so I forced to consider a passthru to
tighten it up or another solution like SNAT. Would love to see a more
powerful add-masquerade command
Rich rules are probably what you want.
See this github issue:
https://github.com/firewalld/firewalld/issues/80
I suggested a fix, would be great if you could try it and verify it
works for your case.
> > > Regard to the -o eth1 I have multiple public IP
address with each has
> > > its own interface. How do I force to NAT and MASQUERADE the openvpn
> > > subnet to the IP address (interface) of my choice? Is -o eth1 detecting
> > > traffic that is already routed out interface eth1? If yes, where does
> > > the routing happen? If no, can I change -o eth2 to get what I want? (BTW
> > > openvpn only listening on port 1194 for IP address thats on eth2.)
>
> I don't know how iptables selects which IP to use. Nor could I find any
> documentation.
Hmm it must require a PREROUTING rule or something else. Using SNAT helps me
avoid getting too convoluted.
> > I was reading to find that I might can use SNAT that would answer all my
> > questions: no worry about MASQUERADE problems and choose the external IP
> > address I want. Is that correct thinking?
>
> masquerade is typically for situations where your IP address may change.
> If yours doesn't change, then regular SNAT may be better for you.
OK
> > I found this work:
> >
> > sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s
> > 10.8.0.0/24 -j SNAT --to-source x.x.x.x
> > sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0
> > -j ACCEPT
> >
> > I wanted to ask:
> > * Is it important to add "-o eth1" to SNAT command? Is it OK to leave
away?
>
> It's probably a good idea. Otherwise the SNAT may accidentally apply to
> internal traffic.
I haven't seen a problem with that, but maybe I don't understand you. I got
on the VPN and requested a web resource from a webserver running on the same
machine and the IP is reflected as that of the VPN. Can you help sketch the
details of the potential problem you mention?
> > * Is FORWARD rule too broad, are there risks? Should I add
any of the
> > following or are they redundant?
> > -s 10.8.0.0/24
> > -o eth1
> > -m state --state NEW
>
> I think it would be fine to add these. The risk depends on your network
> setup.
In general is there any impact on performance to add more rules that
ultimately make no difference to the result? Or is it so insignificant that
adding more specificity can ensure no unwanted side effects of rules that
are too loose?
I don't have an answer for that.