[CentOS] OpenVPN server and firewalld

Fri Dec 29 14:27:43 UTC 2017
Gianluca Cecchi <gianluca.cecchi at gmail.com>

On Fri, Dec 29, 2017 at 10:32 AM, Kenneth Porter <shiva at sewingwitch.com>

> How do I insert the iptables rule below using firewalld?
> I'm moving up from CentOS 6 to 7 on an office gateway and I'm trying to
> get OpenVPN working to allow home workers to access PCs at the office. I've
> got it all working but only by manually inserting an ACCEPT rule in the
> FORWARD iptables chain:
> iptables -I FORWARD 3 -i tun+ -j ACCEPT
> This rule was extracted from my iptables firewall under CentOS6. The 3
> puts it after the accepts for established connections and loopback
> connections, but before any firewalld sub-chains. With this I can connect
> to an internal Windows 10 system with Remote Desktop.
> How can I inject this rule using firewalld, either as a direct rule or as
> some more firewalld-approved kind of rule?
in case your need is not covered by the "--add-service" and/or the
"--add-port" you can still use a direct rule for it.

I think it should be something like this to test:
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

Manual page and some examples with
man firewalld.direct

The "iptables like" rule will be added into the pre-built chain named
The 0 above means it is put at top of FORWARD_direct chain. In your example
appears "3" and it is not clear what are lines 1 and 2.
With iptables -L command you will see:

# iptables -v -L FORWARD_direct
Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source
    0     0 ACCEPT     all  --  tun+   any     anywhere

With firewall-cmd you can see with
# firewall-cmd --direct --get-all-rules
ipv4 filter FORWARD 0 -i tun+ -j ACCEPT

If it works ok as expected, you can make it permanent with

firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -i tun+
firewall-cmd --reload

HIH digging into,