On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter shiva@sewingwitch.com wrote:

How do I insert the iptables rule below using firewalld?

I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to get OpenVPN working to allow home workers to access PCs at the office. I've got it all working but only by manually inserting an ACCEPT rule in the FORWARD iptables chain:

iptables -I FORWARD 3 -i tun+ -j ACCEPT

This rule was extracted from my iptables firewall under CentOS6. The 3 puts it after the accepts for established connections and loopback connections, but before any firewalld sub-chains. With this I can connect to an internal Windows 10 system with Remote Desktop.

How can I inject this rule using firewalld, either as a direct rule or as some more firewalld-approved kind of rule?

Hello, in case your need is not covered by the "--add-service" and/or the "--add-port" you can still use a direct rule for it.

I think it should be something like this to test: firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

Manual page and some examples with man firewalld.direct

The "iptables like" rule will be added into the pre-built chain named FORWARD_direct The 0 above means it is put at top of FORWARD_direct chain. In your example appears "3" and it is not clear what are lines 1 and 2. With iptables -L command you will see:

# iptables -v -L FORWARD_direct Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun+ any anywhere anywhere #

With firewall-cmd you can see with # firewall-cmd --direct --get-all-rules ipv4 filter FORWARD 0 -i tun+ -j ACCEPT #

If it works ok as expected, you can make it permanent with

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --reload

HIH digging into, Gianluca