I’m currently using Fedora 36.
I created a new network namespace called wireguard with the wg0 interface using these commands:
ip netns add wireguard
ip link add wg0 type wireguard
wg setconf wg0 /etc/wireguard/wg0.conf
ip link set wg0 netns wireguard
ip -n wireguard addr add x.x.x.x/32 dev wg0
ip -n wireguard addr add xxxx:xxxx:xxxx:xxxx::x:xxxx/128 dev wg0
ip -n wireguard link set wg0 up
ip -n wireguard route add default dev wg0
I followed this article to set up the network namespace:
https://volatilesystems.org/wireguard-in-a-separate-linux-network-namespace.html
Everything works, but the article says:
Similarly to the DNS settings, you’ll also want to load separate firewall rules, since the new namespace isn’t firewalled.
I’m using firewalld as my firewall and can’t figure out how I can firewall this network namespace using it. What do I need to do?
1 Like
Thank you very much for the reply.
So if I can’t use firewalld in the namespace what would be the best way on fedora to add a custom firewall for this? I’m not knowledgeable on firewalls which is why I was hoping to use one of the firewalld preset zones.
Edit: I looked at other firewall options and found nftables and on the nftables wiki it has this Simple ruleset for a dual-stack IPv4/IPv6 workstation listed.
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept neighbour discovery otherwise IPv6 connectivity breaks
icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
}
}
If I run this with
sudo ip netns exec wireguard nft -f
Would that be enough to secure the namespace while not interfering with my main firewall?
1 Like
There is a GUI for fiewalld, I this might help you better to configure it ?!
manafirewall in software if you use gnome.