Firewalld forwarding same-zone traffic from Wireguard interface, without allowing access to Host-ports

Question

I am running a RHEL-based Linux distribution on a VPS, that is supposed to be a VPN-Gateway Server. I am using Wireguard for interconnecting Clients with each other over this Gateway. The Server has ipv4-forwarding enabled, all Clients are connected to the same Wireguard-interface on the Server and are on the same Subnet (10.0.100.0/24 if this matters). The most simple setup could looks like this

            Wireguard            Wireguard
 [ClientA] <---------> [Server] <---------> [ClientB]
10.0.100.10           10.0.100.1           10.0.100.20

I created a Firewalld-zone called vpn, where I added the Wireguard-NIC as interface, and added 10.0.100.0/24 as Source to this zone. The Server itself is running other services besides the VPN Gateway (e.g. Cockpit).

I want, that ClientA can access ALL PORTS of all other Clients on the same Subnet (e.g. ClientB), but restrict ALL Clients from accessing ANY services exposed on the Server (e.g. Cockpit).

If I set the target of the zone to ACCEPT, ClientA can access every Port of ClientB (which is awesome), but sadly also everything running on the Server is exposed to the Clients as well (which is a no-no because the Devices are not always trustworthy). At this point, how do I tell firewalld to not expose any ports of the Server itself?

If I keep the target of the zone on default client's can ping each other, but cannot access each others ports (and nothing from the Server is exposed, which is what I expect). If going with this approach, how could one allow that traffic is forwarded to Clients? (something like --add-port/--add-service just for the forwarded traffic?)

Is there a way to configure Firewalld, so that it forwards traffic between clients in a zone, but also restricting access to services exposed on the server?

Answer 1

I found some solution(s), thanks to a very nice person on the #firewalld IRC (kudos to @erig if you are reading this).

In version 0.9.x of Firewalld, developers have introduced "forward filtering" capabilities, which is exactly what I was looking for. However, as of 2020-02-03 it's sadly not well documented anywhere, and many distributions are still shipping firewalld 0.8.x). So if you are reading this post, because you have a similar issue and already use firewalld > v0.9.x I'd recommend digging through forward filtering.

If you are (like me) stuck with 0.8.x for the next while (or just are not keen enough to play around with forward filtering), another solution is to use a Rich Rule, denying all the TRAFFIC to the Server-Address. This won't affect FORWARDED Traffic, only traffic that is directly addressing the HOST.

firewall-cmd --zone=vpn --add-rich-rule='rule family=ipv4 source address=10.0.100.0/24 destination address=10.0.100.1/32 reject'

Please note, that the zone vpn, for which this rule is applied for, needs to have its target set to ACCEPT in order to still forward the traffic to the clients on the network.