Firewall configuration for VPN connection

OS Help
1

I have recently added a second Allstar/Echolink node. Because Echolink only allows 1 connection per public IP address I have utilized a 44net tunnel for the second node. This is working very well, however since it bypasses my home router/firewall rules the node is wide open to the internet. Obviously that’s not okay. I would like to restrict internet access to the node to only the ports required for Allstar and Echolink.

I’ve been studying the firewalld manuals but I’m not clear on how to lock down the specific interface to only a few TCP and UDP ports. It looks like I need to create a new “zone” which contains the wg0 interface but I’m getting lost after that. Is there a better or easier way to accomplish this? Linux is fairly new to me and I’m struggling to wrap my head around this.

Here is the output from “IP ADDR”

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:d1:34:2d brd ff:ff:ff:ff:ff:ff
inet 192.168.1.39/24 brd 192.168.1.255 scope global dynamic noprefixroute eth0
valid_lft 29638sec preferred_lft 29638sec
inet6 fe80::9374:bc0e:13a9:f561/64 scope link noprefixroute
valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether b8:27:eb:84:61:78 brd ff:ff:ff:ff:ff:ff
4: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1380 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 44.27.xxx.xxx/32 scope global wg0
valid_lft forever preferred_lft forever.

(last two octets of public address redacted until I sort this out).

The bottom line is that I want to keep local access as it is but lock down the public 44.27….. address. Am I overthinking this? Is there a better approach?

Any suggestions from those more familiar with this situation would be greatly appreciated!

David

2

Is this an ASL3 appliance using Cockpit + Firewalld? If so, use Cockpit to manage the rules.

Unless you've done something very specific with iptables/nftables directly, the firewall rules aren't going to be interface-specific. So applying normal IP and port rules with a default deny will protect wireguard just as the hardware interfaces.

3

The current advice from ARDC is to protect each device on the 44 address. ASL3’s firewall is very good and have not had any attempts show up as attempted logins.

4

The concern I have is that simply entering the public IP address into a browser takes you directly to the default AllstarLink main page for the node.

I would not allow that for any of the systems behind my home firewall and would certainly prefer to not have it available for this node.

Given that the only reason it’s on a wireguard tunnel is to give me a public IP address to run my second Echolink node.

I don’t think it would work to use Cockpit to lock it down as that would prevent me from using the management tools from my own LAN. If in fact the builtin firewall cannot be made interface specific.

I will continue to research the subject and if I find a reasonable solution will post it here in case someone else has a similar use case.

David

5

That's pretty straightforward in Cockpit. Do Add new zone from Networking -> Firewall. In the modal, choose Public and attach it to the interface wg0. Scroll down in the main interface to "Public Zone" and delete the auto-added services of ssh, dhcpv6-client, and cockpit. Then do Add Services and add echolink and iax2.

image
image824×528 26.8 KB

image
image970×253 12 KB

6

Yes Yes, that’s exactly the information I needed.

I didn’t realize that could be accomplished with Cockpit!

Thank You so much! I just tried it and it worked perfectly.

Looks like I need to study the manual some more.

David

1 Like
7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.