0

According to Mullvad's tutorial, to enable the killswitch for Wireguard involves the following:

A: Add the following lines under the [Interface] section of the WireGuard configuration files found in /etc/wireguard/ :

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Where the file name for individual vpn configurations is /etc/wireguard/mullvad-se5.conf for example. CentO/S and Fedora use FirewallD in place of IPtables, thus using the rules above results in an unresponsive 'up' tunnel. What is the exact FirewallD equivalent for the rules above?

tutudid
  • 63
  • 1
  • 9

1 Answers1

0

Intro

Your presumption is not fully correct. The fact that the system is using Firewalld doesn't mean that iptables commands is not working... Both (iptables & firewalld) setting the same stuff in relation to the kernel - it is just the option how to set it up. The true is that once you are using firewalld and something is set up utilizing iptables command it is working until firewalld rules are reloaded as this "additional" rules is not known to firewalld - it has not firewalld object representation.

The question is if this is really issue in case of not persistent tunnel - in case of reboot the tunnel is not persistent and during re-establishing the connection all the setting can be set up again so I don't see "runtime state" of the setting as a really issue...

Specifically to the question

Firewalld has --direct switch which is recommended to use as last option (if you don't have any other option how to set up the rule) but it is there... The syntax is the most close to iptables so that is why I am pointing directly this option. In case you want to have the rule persistent you can use also --peristent option but I think in this case it is not wanted.

The syntax in general is :

firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>

default table is filter so in case you are using iptables without -t option you are working with table filter.

iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

would correspond with

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

As you can see the difference is "only" in the beginning in the way how to say where the rule would be added. The <args> part is the same as in case of iptables command.

I hope this example will be sufficient for you to be able to rewrite any rule(s) into firewalld syntax. Good luck!

-------- edit : adding -D "alternative" ----------

iptables -D OUTPUT ...

correspond with 

firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
Kamil J
  • 1,587
  • 1
  • 4
  • 10