Hello everybody.
Recently i moved external interface to zone "external" on my home server/router. And something strange is hapening. From my router (chamber, CentOS7) everything is fine:
[root@chamber ~]# firewall-cmd --list-all home (default, active) interfaces: enp3s0 tun0 virbr0 sources: services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs samba samba-client vnc-server ports: 143/tcp 26666/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
[root@chamber ~]# firewall-cmd --list-all --zone=external external (active) interfaces: enp1s0 sources: services: ports: 26666/tcp masquerade: yes forward-ports: icmp-blocks: rich rules:
[root@chamber ~]# nmap 10.0.49.14
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 11:57 CEST Nmap scan report for 10.0.49.14 Host is up (0.00045s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https MAC Address: 52:54:00:D6:6D:4A (QEMU Virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds
But from host in another location (connected through VPN):
moonwolf ~ nmap 10.0.49.14
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds moonwolf ~ nmap 10.0.49.14 -Pn -p22
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST Nmap scan report for svn.karakkhaz.dwarfs (10.0.49.14) Host is up (0.015s latency). PORT STATE SERVICE 22/tcp filtered ssh
Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds
moonwolf ~ ping 10.0.49.14 PING 10.0.49.14 (10.0.49.14) 56(84) bytes of data. 64 bytes from 10.0.49.14: icmp_seq=1 ttl=62 time=9.45 ms 64 bytes from 10.0.49.14: icmp_seq=2 ttl=62 time=26.0 ms ^C --- 10.0.49.14 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.459/17.754/26.050/8.296 ms
What could cause this behavior? Before interface move everything was working as expected.
On Thursday 21 of April 2016 9:08:09 AM Gordon Messmer wrote:
On 04/21/2016 03:11 AM, Marcin Trendota wrote:
But from host in another location (connected through VPN):
What host serves the VPN? If it's another host, how is that host connected to the router? If it's "chamber," what type of VPN is it?
It's OpenVPN on chamber.
I've just noticed that it's similiar from home to the other location. To clear things: 10.0.49.0/26 it's my home network 10.0.32.0/22 is one of VLANs in work ("the other location").
From chamber:
[root@chamber ~]# nmap 10.0.32.7
Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST Nmap scan report for 10.0.32.7 Host is up (0.053s latency). Not shown: 988 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 389/tcp open ldap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 2049/tcp open nfs 5666/tcp open nrpe
Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds
From other host in home network:
[moonwolf@kazad ~]$ nmap 10.0.32.7
Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 22:12 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds
When i move enp1s0 (external interface) to "home" zone, everything works fine.
My observations:
* When enp1s0 and tun0 (VPN interface) are both in "external" zone i'm able to scan ports of work's network from home. But not the opposite: [root@palpatine ~]# nmap 10.0.49.16
Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-21 22:26 CEST Nmap scan report for 10.0.49.16 Host is up (0.039s latency). All 1000 scanned ports on 10.0.49.16 are filtered
Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds
* When enp1s0 is in "external" zone (as only interface), and tun0 is in "home" zone i can't scan ports in home nor work.
* When all interfaces are in "home" zone i can scan ports everywhere.
It's a bit chaotic, i know. Sorry about that.
On 04/21/2016 01:33 PM, Marcin Trendota wrote:
It's OpenVPN on chamber.
What port is it using? I don't see the standard port listed in your firewalld rules in either zone.
Also, you probably should specify tun+ instead of tun0, even if you think there will only be one tunnel up at any given time.
On Thursday 21 of April 2016 2:37:49 PM Gordon Messmer wrote:
On 04/21/2016 01:33 PM, Marcin Trendota wrote:
It's OpenVPN on chamber.
What port is it using? I don't see the standard port listed in your firewalld rules in either zone.
1194/udp. I added service openvpn and port 1194/udp (just to be sure) to both zones - no change.
[root@chamber openvpn]# firewall-cmd --list-all home (default, active) interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1 sources: services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs openvpn samba samba-client vnc-server ports: 143/tcp 26666/tcp 1194/udp masquerade: no forward-ports: icmp-blocks: rich rules:
[root@chamber openvpn]# firewall-cmd --list-all --zone=external external (active) interfaces: enp1s0 sources: services: openvpn ports: 26666/tcp 1194/udp masquerade: yes forward-ports: icmp-blocks: rich rules:
Also, you probably should specify tun+ instead of tun0, even if you think there will only be one tunnel up at any given time.
Specify where?
Despite the fact than i can't scan their ports, i'm able to ping those hosts.
Maybe it's not firewalld related? I can scan ports from chamber (home router). I'll try tcpdump maybe, to see what is going on with packets?
Hi Marcin, Please check your openvpn config file of Port number then check your firewalld config on the same port allowed or not.
On Fri, Apr 22, 2016 at 6:28 AM, Marcin Trendota moonwolf.rh@gmail.com wrote:
On Thursday 21 of April 2016 2:37:49 PM Gordon Messmer wrote:
On 04/21/2016 01:33 PM, Marcin Trendota wrote:
It's OpenVPN on chamber.
What port is it using? I don't see the standard port listed in your firewalld rules in either zone.
1194/udp. I added service openvpn and port 1194/udp (just to be sure) to both zones - no change.
[root@chamber openvpn]# firewall-cmd --list-all home (default, active) interfaces: enp3s0 tun0 vbr0 virbr0 vnet0 vnet1 sources: services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs openvpn samba samba-client vnc-server ports: 143/tcp 26666/tcp 1194/udp masquerade: no forward-ports: icmp-blocks: rich rules:
[root@chamber openvpn]# firewall-cmd --list-all --zone=external external (active) interfaces: enp1s0 sources: services: openvpn ports: 26666/tcp 1194/udp masquerade: yes forward-ports: icmp-blocks: rich rules:
Also, you probably should specify tun+ instead of tun0, even if you think there will only be one tunnel up at any given time.
Specify where?
Despite the fact than i can't scan their ports, i'm able to ping those hosts.
Maybe it's not firewalld related? I can scan ports from chamber (home router). I'll try tcpdump maybe, to see what is going on with packets?
-- Over And Out MoonWolf _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 04/21/2016 03:28 PM, Marcin Trendota wrote:
Also, you probably should specify tun+ instead of tun0, even if you
think there will only be one tunnel up at any given time.
Specify where?
firewall-cmd --zone=home --add-interface=tun+
Beyond that, I can't really tell what firewalld is doing with forwarded traffic from the output you've given, just the incoming traffic. It might be more clear to just post the output of "iptables -L -vn" somewhere. https://paste.fedoraproject.org/ maybe
-
Chandran Manikandan -
Gordon Messmer -
Marcin Trendota