在 Fedora 20 中为 OpenVPN(服务器桥)配置 Firewalld

在 Fedora 20 中为 OpenVPN(服务器桥)配置 Firewalld

我在 Fedora 20 上安装了 OpenVPN 服务器(服务器桥),但无法使其工作。我几乎可以肯定这是防火墙问题。

我正在尝试从 OSX 客户端进行连接,但在服务器上配置桥接器之前,我可以连接(仅连接到 VPN 服务器,无需访问任何内容),但是一旦我配置了桥接器接口(使用脚本),然后我就无法再连接了。我已将其配置为服务器桥,并遵循以下 HOW-TOFedoraOpenVPN 以太网桥

防火墙配置使用 iptables 来解释:

iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT

然而,在 Fedora 20 中,默认情况下,它安装了防火墙,所以,有人能告诉我使用 的等效命令firewall-cmd吗?我读过防火墙指南,但我不清楚如何实现它(我是一名开发人员,不是系统管理员)。

我知道我可以安装 iptables,但我希望它能与firewalld 一起工作。

更新:在阅读了firewall-cmd手册页之后,我尝试使用选项应用前面的命令--passthrough,即:

# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT

命令成功执行,但是不起作用,我也尝试使用eb代替,ipv4结果相同。

输出ifconfig类似于:

br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.40  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::c9:aff:fe02:d953  prefixlen 64  scopeid 0x20<link>
        ether 02:c9:09:02:d9:53  txqueuelen 0  (Ethernet)
        RX packets 11276  bytes 1374285 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 899  bytes 240110 (234.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST>  mtu 1500
        inet6 fe80::c9:afa:fe02:d953  prefixlen 64  scopeid 0x20<link>
        ether 03:c9:0a:02:d9:53  txqueuelen 1000  (Ethernet)
        RX packets 13548  bytes 1942379 (1.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1162  bytes 269258 (262.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 117  base 0xc000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 16436
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 6883  bytes 2061608 (1.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 6883  bytes 2061608 (1.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

p2p0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet6 fe80::9831:16ff:fe81:3658  prefixlen 64  scopeid 0x20<link>
        ether 9a:3b:16:84:36:58  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=4355<UP,BROADCAST,PROMISC,MULTICAST>  mtu 1500
        ether d6:6c:20:12:f3:b6  txqueuelen 100  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.41  netmask 255.255.255.0  broadcast 0.0.0.0
        inet6 fe80::9a5b:16ff:fe81:3658  prefixlen 64  scopeid 0x20<link>
        ether 98:3b:11:81:36:58  txqueuelen 1000  (Ethernet)
        RX packets 2643  bytes 230523 (225.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5512  bytes 1726039 (1.6 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

答案1

Firewalld 已经预先配置了一些服务,可以通过以下命令查看:

firewall-cmd --get-services

(配置文件/usr/lib/firewalld/services/openvpn.xml)

如果你看到 openvpn 已经是可用服务,你可以使用以下命令启用它:

firewall-cmd --add-service openvpn

答案2

我最初问题的答案是:

# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A INPUT -i br0 -j ACCEPT
# firewall-cmd --permanent --direct --passthrough ipv4 -A FORWARD -i br0 -j ACCEPT

然后,如果你执行:

# firewall-cmd --permanent  --direct --get-all-passthroughs

你会得到这个:

ipv4 -A INPUT -i tap0 -j ACCEPT
ipv4 -A INPUT -i br0 -j ACCEPT
ipv4 -A FORWARD -i br0 -j ACCEPT

但是仍然存在问题,我无法连接到 VPN 服务器,因此欢迎任何想法/线索。

相关内容