firewalld does not block IPs which were banned by fail2ban on port 443 (the VPN port of openVPN), but does block IPs on other ports (e.g. works fine on the port for the webinterface, or SSH). I tried to find the problem via firewall-cmd and nft, but I really don't see it. Can anybody point me in the right direction?
this my output of firewalld:
XXX_OFFENDING_IP_XXX is my own IP from which I can test
IPtables is
Code: Select all
sudo iptables -L INPUT --line-numbers
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 AS0_ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
2 AS0_ACCEPT all -- anywhere anywhere
3 AS0_IN_PRE all -- anywhere anywhere mark match 0x2000000/0x2000000
4 AS0_ACCEPT tcp -- anywhere XX_FQDN_XX state NEW tcp dpt:915
5 AS0_ACCEPT tcp -- anywhere XX_FQDN_XX state NEW tcp dpt:914
6 AS0_ACCEPT udp -- anywhere XX_FQDN_XX state NEW udp dpt:917
7 AS0_ACCEPT udp -- anywhere XX_FQDN_XX state NEW udp dpt:916
8 AS0_WEBACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
9 AS0_WEBACCEPT tcp -- anywhere anywhere state NEW tcp dpt:34254
I have configured firewalld for openVPN with:
Code: Select all
sudo firewall-cmd --zone=public --add-port=34254/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --add-port=443/udp --permanent
sudo firewall-cmd --zone=public --add-service openvpn --permanent
sudo firewall-cmd --zone=public --add-masquerade --permanent
reboot
Code: Select all
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: openvpn
ports: 42913/tcp 34254/tcp 443/tcp 443/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="XXX_OFFENDING_IP_XXX" port port="34254" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="XXX_OFFENDING_IP_XXX" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
rule family="ipv4" source address="some-other-ip" port port="443" protocol="tcp" reject type="icmp-port-unreachable"
Code: Select all
nft list table inet firewalld | grep 34254
ip saddr XXX_OFFENDING_IP_XXX tcp dport 34254 ct state { new, untracked } reject
tcp dport 34254 ct state { new, untracked } accept
1) port 443 (port of the VPN server): this does NOT work:
Code: Select all
nft list table inet firewalld | grep 443
ip saddr XXX_OFFENDING_IP_XXX tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
tcp dport 443 ct state { new, untracked } accept
Code: Select all
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority raw + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
jump raw_PREROUTING_ZONES_SOURCE
jump raw_PREROUTING_ZONES
}
chain raw_PREROUTING_ZONES_SOURCE {
}
chain raw_PREROUTING_ZONES {
iifname "eth0" goto raw_PRE_public
goto raw_PRE_public
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES_SOURCE
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_ZONES_SOURCE {
}
chain mangle_PREROUTING_ZONES {
iifname "eth0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES_SOURCE
jump filter_INPUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { IPv6.... } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_IN_ZONES_SOURCE
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES_SOURCE
jump filter_FORWARD_OUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
oifname "lo" accept
ip6 daddr { IPv6.... } reject with icmpv6 type addr-unreachable
}
chain filter_INPUT_ZONES_SOURCE {
}
chain filter_INPUT_ZONES {
iifname "eth0" goto filter_IN_public
goto filter_IN_public
}
chain filter_FORWARD_IN_ZONES_SOURCE {
}
chain filter_FORWARD_IN_ZONES {
iifname "eth0" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES_SOURCE {
}
chain filter_FORWARD_OUT_ZONES {
oifname "eth0" goto filter_FWDO_public
goto filter_FWDO_public
}
chain raw_PRE_public {
jump raw_PRE_public_pre
jump raw_PRE_public_log
jump raw_PRE_public_deny
jump raw_PRE_public_allow
jump raw_PRE_public_post
}
chain raw_PRE_public_pre {
}
chain raw_PRE_public_log {
}
chain raw_PRE_public_deny {
}
chain raw_PRE_public_allow {
}
chain raw_PRE_public_post {
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
ip saddr XXX_OFFENDING_IP_XXX tcp dport 34254 ct state { new, untracked } reject
ip saddr XXX_OFFENDING_IP_XXX tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
ip saddr some-other-ip tcp dport 443 ct state { new, untracked } reject
}
chain filter_IN_public_allow {
udp dport 1194 ct state { new, untracked } accept
tcp dport 42913 ct state { new, untracked } accept
tcp dport 34254 ct state { new, untracked } accept
tcp dport 443 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain filter_FWDO_public {
jump filter_FWDO_public_pre
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
jump filter_FWDO_public_post
}
chain filter_FWDO_public_pre {
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
ct state { new, untracked } accept
}
chain filter_FWDO_public_post {
}
chain filter_FWDI_public {
jump filter_FWDI_public_pre
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
jump filter_FWDI_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_pre {
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain filter_FWDI_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
}