Faiing to open VPN ports with nftables

Issues related to configuring your network
Post Reply
user9452
Posts: 2
Joined: 2020/11/14 11:36:08

Faiing to open VPN ports with nftables

Post by user9452 » 2020/12/09 11:04:21

Hi,

I'm currently using centos as a router. As I understood, firewalld is not really meant for such use cases so I disabled it and I'm using nftables instead. I have enabled ip forwarding and ports 22 for ssh, 53 for dns, 67 for dhcp, 111, 2049 and 3333 for nfs and 51194 for wireguard.

nft list ruleset:
table ip filter {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
iif "lo" accept
tcp dport 22 counter packets 0 bytes 0 log accept
udp dport 51194 accept
iif "ens1f1" tcp dport { 22, 53, 80, 111, 443, 445, 2049, 33333 } counter packets 0 bytes 0 log accept
iif "ens1f1" udp dport { 53, 67, 68, 111, 2049, 33333, 51194 } accept
iif "ens1f1" ip protocol icmp accept
counter packets 0 bytes 0 drop
}

chain output {
type filter hook output priority filter; policy accept;
ct state { established, related, new } accept
iif "lo" accept
}

chain forward {
type filter hook forward priority filter; policy accept;
iif "ens1f0" oif "ens1f1" ct state { established, related } accept
iif "ens1f1" oif "ens1f0" accept
iif "ens1f0" oif "ens1f1" counter packets 0 bytes 0 drop
}

chain postrouting {
type filter hook postrouting priority filter; policy accept;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
here
ens1f0 = wan
ens1f1 = lan

netstat -lu:
udp 0 0 0.0.0.0:domain 0.0.0.0:*
udp 0 0 0.0.0.0:bootps 0.0.0.0:*
udp 0 0 0.0.0.0:sunrpc 0.0.0.0:*
udp 0 0 localhost:323 0.0.0.0:*
udp 0 0 0.0.0.0:51194 0.0.0.0:*
udp6 0 0 [::]:domain [::]:*
udp6 0 0 [::]:sunrpc [::]:*
udp6 0 0 localhost:323 [::]:*
udp6 0 0 home.loca:dhcpv6-client [::]:*
udp6 0 0 [::]:51194 [::]:*

If I test open ports with online testers it shown 51194 closed and also I can't access via remote machine VPN. What am I missing here? Why isn't udp dport 51194 accept in input doing what I think as it should, open port 51194? ssh works but vpn doesn't. I can't even access the server.

First time with both centos and nftables so I might miss something trivial.

Post Reply

Return to “CentOS 8 - Networking Support”