On Sat, Apr 14, 2018 at 11:17:00AM +0000, alen.alen(a)powdermail.com wrote:
> I am following this tutorial[1] to set up OpenVPN. It suggests running
> both of the following commands:
>
> sudo firewall-cmd --permanent --add-masquerade
> sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A
> POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
I tested to find that openvpn tunnel is working ONLY if I use first command,
2nd command having no effect.
I found reason is --add-masquerade also adds a FORWARD rule, this seems
broad, no?
It should be limited by the output interface.
-A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT
Can somebody confirm the 2nd command above is redundant?
Yes, redundant. firewalld already adds something similar.
# iptables -t nat -nvL
[..]
Chain POSTROUTING_ZONES (1 references)
pkts bytes target prot opt in out source destination
0 0 POST_public all -- * mgmt0 0.0.0.0/0 0.0.0.0/0
[goto]
[..]
Chain POST_public_allow (1 references)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !lo 0.0.0.0/0 0.0.0.0/0
> I was reading about firewalld and iptables and some people have wrote[2]
> that the 1st command should already add a similar rule as the 2nd one I
> guess without the specific subnet range. Why not use only the 2nd
> command? What benefit is also running the 1st?
>
> Regard to the -o eth1 I have multiple public IP address with each has
> its own interface. How do I force to NAT and MASQUERADE the openvpn
> subnet to the IP address (interface) of my choice? Is -o eth1 detecting
> traffic that is already routed out interface eth1? If yes, where does
> the routing happen? If no, can I change -o eth2 to get what I want? (BTW
> openvpn only listening on port 1194 for IP address thats on eth2.)
I don't know how iptables selects which IP to use. Nor could I find any
documentation.
>
> Other question: I read[3] "if you use default public zone for your
> external facing network adapter then your loopback interface could also
> be masqueraded" which I am concerned about. How do I test if this is the
> case and what are the side effects?
See the iptables output above. It explicitly omits lo.
I was reading to find that I might can use SNAT that would answer all my
questions: no worry about MASQUERADE problems and choose the external IP
address I want. Is that correct thinking?
masquerade is typically for situations where your IP address may change.
If yours doesn't change, then regular SNAT may be better for you.
I found this work:
sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s
10.8.0.0/24 -j SNAT --to-source x.x.x.x
sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0
-j ACCEPT
I wanted to ask:
* Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?
It's probably a good idea. Otherwise the SNAT may accidentally apply to
internal traffic.
* Is FORWARD rule too broad, are there risks? Should I add any of
the
following or are they redundant?
-s 10.8.0.0/24
-o eth1
-m state --state NEW
I think it would be fine to add these. The risk depends on your network
setup.
Good luck.
Eric.