Firewalld allowing traffic between main interface and OpenVPN tun0
 

Hi,

New to firewalld and centos. Firewalld is blocking traffic between openvpn tunnel and my main network. In logs I see:
"[335548.930116] FINAL_REJECT: IN=enp3s0 OUT=tun0 SRC=192.168.113.5 DST=172.16.200.11 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=48188 DF PROTO=TCP SPT=53044 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

So I added Rich rule to allow traffic between 192.168.113.5 and 172.16.200.11:

firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=192.168.113.5/32 destination address=172.16.200.11/32 port port=80 protocol=tcp accept'

But still being blocked. My firewalld status looks like this:
#firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0 tun0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.113.5/32" destination address="172.16.200.11/32" port port="80" protocol="tcp" accept

What am I doing wrong?

Do you have forwarding enabled?

Yes, forwarding is enabled.

Perhaps share

# iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

No active firewall?

Yes, it is centos so it uses firewalld/nftables instead of iptables. So I think the equivalent of iptables -S is #firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0 tun0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.113.5/32" destination address="172.16.200.11/32" port port="80" protocol="tcp" accept

No, that is not the equivalent. It merely shows the firewalld config.