From 4c5195a2507c054126fab76c131a054cd09ebdb5 Mon Sep 17 00:00:00 2001 From: randomshell <43271778+randomshell@users.noreply.github.com> Date: Fri, 1 May 2020 22:12:31 +0000 Subject: [PATCH] Reload firewalld to read the new configuration We need to reload firewalld after defining the new openvpn service to read the new configuration. I deleted the non permanent rules because we reload firewalld and so the permanent ones are used. --- openvpn-install.sh | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/openvpn-install.sh b/openvpn-install.sh index 7fbc68a..b8b9122 100644 --- a/openvpn-install.sh +++ b/openvpn-install.sh @@ -327,25 +327,20 @@ crl-verify crl.pem" >> /etc/openvpn/server/server.conf echo 1 > /proc/sys/net/ipv6/conf/all/forwarding fi if systemctl is-active --quiet firewalld.service; then - # Using both permanent and not permanent rules to avoid a firewalld - # reload. # We define a new openvpn service so we can use our port and protocol cp /usr/lib/firewalld/services/openvpn.xml /etc/firewalld/services sed -i "s|udp|${protocol}|" /etc/firewalld/services/openvpn.xml sed -i "s|1194|${port}|" /etc/firewalld/services/openvpn.xml - firewall-cmd --add-service=openvpn - firewall-cmd --zone=trusted --add-source=10.8.0.0/24 firewall-cmd --permanent --add-service=openvpn firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24 # Set NAT for the VPN subnet - firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" if [[ -n "$ip6" ]]; then - firewall-cmd --zone=trusted --add-source=fddd:1194:1194:1194::/64 firewall-cmd --permanent --zone=trusted --add-source=fddd:1194:1194:1194::/64 - firewall-cmd --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" firewall-cmd --permanent --direct --add-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" fi + # Reload firewalld + firewall-cmd --reload else # Create a service to set up persistent iptables rules iptables_path=$(command -v iptables) @@ -500,22 +495,17 @@ else protocol=$(grep '^proto ' /etc/openvpn/server/server.conf | cut -d " " -f 2) if systemctl is-active --quiet firewalld.service; then ip=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24' | grep -oE '[^ ]+$') - # Using both permanent and not permanent rules to avoid a firewalld reload. - firewall-cmd --remove-service=openvpn - firewall-cmd --zone=trusted --remove-source=10.8.0.0/24 firewall-cmd --permanent --remove-service=openvpn firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24 - firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to "$ip" if grep -qs "server-ipv6" /etc/openvpn/server/server.conf; then ip6=$(firewall-cmd --direct --get-rules ipv6 nat POSTROUTING | grep '\-s fddd:1194:1194:1194::/64 '"'"'!'"'"' -d fddd:1194:1194:1194::/64' | grep -oE '[^ ]+$') - firewall-cmd --zone=trusted --remove-source=fddd:1194:1194:1194::/64 firewall-cmd --permanent --zone=trusted --remove-source=fddd:1194:1194:1194::/64 - firewall-cmd --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" firewall-cmd --permanent --direct --remove-rule ipv6 nat POSTROUTING 0 -s fddd:1194:1194:1194::/64 ! -d fddd:1194:1194:1194::/64 -j SNAT --to "$ip6" fi - # Remove the defined openvpn service + # Remove the defined openvpn service and reload firewalld rm /etc/firewalld/services/openvpn.xml + firewall-cmd --reload else systemctl disable --now openvpn-iptables.service rm -f /etc/systemd/system/openvpn-iptables.service