0

I have the OpenVPN server. A client connecting to this server receive an internal IPv4 address (10.2.52.X) and an external IPv6 address. I need to perform a masquerading (NAT) for IPv4 but I don't need to perform anything for IPv6 (may be block incoming connections except selected ports).

Currently if I systemctl stop firewalld, an IPv6 connectivity works just fine: I can ping6 addresses or I can open connections to 80 port using telnet or browser. But if I enable firewalld, then I can only ping6 addresses. Outgoing TCP connections seems to be blocked.

eth0 is my external interface, tun0 is my internal VPN interface. So far I assigned external/internal zones to the interfaces (this enabled masquerading for IPv4) and added openvpn service to external zone (to allow incoming UDP connections on 1194 port)

# firewall-cmd --get-active-zones
internal
  interfaces: tun0
external
  interfaces: eth0
Improve this question

1 Answer 1

Reset to default
1

So it turns out that firewalld by default rejects anything in FORWARD chain and I didn't found easy way to alter that. I created a "direct" rule.

firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD_direct 0 -i tun0 -o eth0 -j ACCEPT

Now everything works as expected.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .