On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter <shiva at sewingwitch.com> wrote: > How do I insert the iptables rule below using firewalld? > > I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to > get OpenVPN working to allow home workers to access PCs at the office. I've > got it all working but only by manually inserting an ACCEPT rule in the > FORWARD iptables chain: > > iptables -I FORWARD 3 -i tun+ -j ACCEPT > > This rule was extracted from my iptables firewall under CentOS6. The 3 > puts it after the accepts for established connections and loopback > connections, but before any firewalld sub-chains. With this I can connect > to an internal Windows 10 system with Remote Desktop. > > How can I inject this rule using firewalld, either as a direct rule or as > some more firewalld-approved kind of rule? > > Hello, in case your need is not covered by the "--add-service" and/or the "--add-port" you can still use a direct rule for it. I think it should be something like this to test: firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT Manual page and some examples with man firewalld.direct The "iptables like" rule will be added into the pre-built chain named FORWARD_direct The 0 above means it is put at top of FORWARD_direct chain. In your example appears "3" and it is not clear what are lines 1 and 2. With iptables -L command you will see: # iptables -v -L FORWARD_direct Chain FORWARD_direct (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- tun+ any anywhere anywhere # With firewall-cmd you can see with # firewall-cmd --direct --get-all-rules ipv4 filter FORWARD 0 -i tun+ -j ACCEPT # If it works ok as expected, you can make it permanent with firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT firewall-cmd --reload HIH digging into, Gianluca