UFW blocks Https NAT response

Question

Score:0

Server

UFW blocks Https NAT response

Sharper

1/29/23, 7:01 PM

I've got a setup with OpenVPN that routes two network to WAN. On the setup below Fedora Linux server provides OpenVEN access to WAN, while Mikrotik 1 router routes (not NATted) traffic to specific hosts via 10.9.0.1 OpenVPN server.

The issue is that Https is not avalible vie Fedora router since I got rid of the NAT for 192.168.88.0/0 and 89.0/24 networks.

The problem is that UFW seems to block NAT respose to External IP 2 to the 192.168.89.0/24 clients while it works OK from 192.168.88.0/24 network!

Traceroute seems to be OK from both networks (networking connectivity seems to be fine).

Network Map

Here is conntrack listing with ports :

tcp      6 431996 ESTABLISHED src=192.168.89.252 dst=195.82.146.214 sport=65042 dport=443 src=195.82.146.214 dst=95.179.xxx.xxx sport=443 dport=65042 [ASSURED] mark=0 use=1
tcp      6 431996 ESTABLISHED src=192.168.89.252 dst=195.82.146.214 sport=53619 dport=443 src=195.82.146.214 dst=95.179.xxx.xxx sport=443 dport=53619 [ASSURED] mark=0 use=1
tcp      6 431996 ESTABLISHED src=192.168.89.252 dst=195.82.146.214 sport=52700 dport=443 src=195.82.146.214 dst=95.179.xxx.xxx sport=443 dport=52700 [ASSURED] mark=0 use=1

You can see that all three ports (65042, 53619, 52700) are then blocked by the UFW:

Sep 29 21:47:43 atlantis kernel: [UFW AUDIT] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=28004 DF PROTO=TCP SPT=443 DPT=60549 WINDOW=58 RES=0x00 ACK FIN URGP=0
Sep 29 21:47:43 atlantis kernel: [UFW AUDIT INVALID] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=28004 DF PROTO=TCP SPT=443 DPT=60549 WINDOW=58 RES=0x00 ACK FIN URGP=0
Sep 29 21:47:43 atlantis kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=28004 DF PROTO=TCP SPT=443 DPT=60549 WINDOW=58 RES=0x00 ACK FIN URGP=0
Sep 29 21:47:44 atlantis kernel: [UFW AUDIT] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=60436 DF PROTO=TCP SPT=443 DPT=55409 WINDOW=58 RES=0x00 ACK FIN URGP=0
Sep 29 21:47:44 atlantis kernel: [UFW AUDIT INVALID] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=60436 DF PROTO=TCP SPT=443 DPT=55409 WINDOW=58 RES=0x00 ACK FIN URGP=0
Sep 29 21:47:44 atlantis kernel: [UFW BLOCK] IN=enp1s0 OUT= MAC=56:00:03:7f:e1:09:fe:00:03:7f:e1:09:08:00 SRC=195.82.146.214 DST=95.179.XXX.XXX LEN=40 TOS=0x00 PREC=0x00 TTL=54 ID=60436 DF PROTO=TCP SPT=443 DPT=55409 WINDOW=58 RES=0x00 ACK FIN URGP=0

The problem does not exist with 192.168.88.0/24 network - everythng is fine. I will appriciate any help.

Here is UFW config, nothing special there:

# START OPENVPN RULES
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Allow traffic from OpenVPN client to enp1s0
-A POSTROUTING -s 10.8.0.0/24 -o enp1s0 -j MASQUERADE
#-A POSTROUTING -s 10.9.0.0/24 -o enp1s0 -j MASQUERADE #Not needed since network is not NATtted.

-A POSTROUTING -s 192.168.88.0/24 -o enp1s0 -j MASQUERADE
-A POSTROUTING -s 192.168.89.0/24 -o enp1s0 -j MASQUERADE
COMMIT

85

0 + 0

nat

openvpn

linux-networking

ufw

UFW blocks Https NAT response

Post an answer