SuSEfirewall2 setup

Hello,
I have a machine with openvpn server running, and I am trying to change the firewall rules for the vpn hosts. I want the hosts to be able to reply to requests from the internal network, but not to initiate the communication themselves. I have it almost done, the only problem left is that the devices are able to initiate the communication with the vpn server itself, on its tun2 interface. I am quite new to the iptables/SuSEfirewall2, so I would be very grateful for any comments.

The vpn network I am working with is 192.168.32.0/24 on tun2, there are also some others, but they are not part of this problem. The internal network range, which should have access to the vpn hosts, is 192.168.0.0/19 (subnets 192.168.0.X - 192.168.31.X).

My SuSEfirewall2 config file:


FW_DEV_EXT="tun0 tun1 tun2 tap0"
FW_DEV_INT="ens33"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="tun0 tun1 tun2 tap0"
FW_MASQ_NETS="0/0"
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS="192.168.31.0/24 192.168.106.0/24 192.168.30.0/24 192.168.0.0/16"
FW_FORWARD="192.168.0.0/16,192.168.31.0/24 192.168.31.0/24,192.168.0.0/16 192.168.0.0/16,192.168.30.0/24 192.168.30.0/24,192.168.0.0/16 192.168.106.0/24,192.168.0.0/16 192.168.0.0/16,192.168.106.0/24 192.168.0.0/16,192.168.32.0/24"
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=""
FW_STOP_KEEP_ROUTING_STATE=""
FW_ALLOW_PING_FW=""
FW_ALLOW_PING_DMZ=""
FW_ALLOW_PING_EXT=""
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=''
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""
FW_BOOT_FULL_INIT=""

Thanks
Petr

Am unclear which machines you refer to as “hosts.”
All machines can be referred to as a “host.”
Do you mean the VPN clients?
Specific machines providing network resources over your VPN?
Something else?

It does look like you’ve implemented the VPN connection as its own network and configured forwarding so that your openVPN network can communicate with your internal network.

If (I’m guessing) the “hosts” are VPN clients and you want to permit only sessions initiated from within your internal network to VPN clients, it might be useful to describe an actual solution you want to achieve. If this is what you’re trying to set up, it’s probably a bit unusual (but workable) because ordinarily your trusted network resources are located in your private network, not on remote, possibly unmanaged devices.

TSU

I am sorry for unclear description.

There is a group of computers/routers outside of our network (I’ll refer them as vpn hosts). I would like them to connect to the vpn server - create vpn tunnel, which I then can use to communicate with them. This is because the vpn hosts are often behind firewalls, and the only way how I can access them is if they initiate the communication (=connect to our vpn server).
On the other hand, the vpn hosts are potentially dangerous, as I do not have control over them. So the only allowed communication initiated from their side is to connect to the vpn server. Then they should be only replying to the requests from my internal network.
http://psi.cz/ftp/Ent/net_graph2.png

It does look like you’ve implemented the VPN connection as its own network and configured forwarding so that your openVPN network can communicate with your internal network.

Yes, this is correct. The vpn hosts have their own subnet (192.168.32.0/24). I would like to use the vpn server’s firewall to setup the permissions described above.