Need some help with firewall (ufw)
Posted: Mon Jan 14, 2019 10:51 am
Hi All
I've spent days on this without success and will appreciate some help.
SoftEther is installed on ubuntu (full LAMP) 18.04 server with kms virtualization. Everything works great, except when the ufw firewall is enabled, I am unable to connect with client.
So, specifications are as follows.
- Virtual Nat and Dynamic DNS - disabled
- Local Bridge created
Added value
To
/etc/resolv.conf added
nameserver 8.8.8.8
To
/etc/dnsmasq.conf
interface=tap_ZZZZ
dhcp-range=tap_ZZZZ,192.168.7.5,192.168.7.99,12h
dhcp-option=tap_ZZZZ,3,192.168.7.1
To
/etc/sysctl.d/ipv4_forwarding.conf
net.ipv4.ip_forward = 1
Executed commands
sysctl --system
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source XXX.XXX.XX.XX (replaced with srv address)
apt-get install iptables-persistent -y
---------------------------------------
netstat -atulpn | grep vpnserver
results with ufw enabled and client "connected"
ufw status verbose status
Will send more info if needed.
I've spent days on this without success and will appreciate some help.
SoftEther is installed on ubuntu (full LAMP) 18.04 server with kms virtualization. Everything works great, except when the ufw firewall is enabled, I am unable to connect with client.
So, specifications are as follows.
- Virtual Nat and Dynamic DNS - disabled
- Local Bridge created
Added value
To
/etc/resolv.conf added
nameserver 8.8.8.8
To
/etc/dnsmasq.conf
interface=tap_ZZZZ
dhcp-range=tap_ZZZZ,192.168.7.5,192.168.7.99,12h
dhcp-option=tap_ZZZZ,3,192.168.7.1
To
/etc/sysctl.d/ipv4_forwarding.conf
net.ipv4.ip_forward = 1
Executed commands
sysctl --system
iptables -t nat -A POSTROUTING -s 192.168.7.0/24 -j SNAT --to-source XXX.XXX.XX.XX (replaced with srv address)
apt-get install iptables-persistent -y
---------------------------------------
netstat -atulpn | grep vpnserver
results with ufw enabled and client "connected"
Code: Select all
XXX.XXX.XX.XX - SRV ADDRESS
YY.YYY.YYY.YY - CLIENT ADDRESS
tcp 0 0 0.0.0.0:5555 0.0.0.0:* LISTEN 349/vpnserver
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 349/vpnserver
tcp 0 0 0.0.0.0:992 0.0.0.0:* LISTEN 349/vpnserver
tcp 0 0 0.0.0.0:1194 0.0.0.0:* LISTEN 349/vpnserver
tcp 0 0 XXX.XXX.XX.XX:443 YY.YYY.YYY.YY:55432 ESTABLISHED 349/vpnserver
tcp 0 0 XXX.XXX.XX.XX:443 YY.YYY.YYY.YY:55429 ESTABLISHED 349/vpnserver
tcp6 0 0 :::5555 :::* LISTEN 349/vpnserver
tcp6 0 0 :::443 :::* LISTEN 349/vpnserver
tcp6 0 0 :::992 :::* LISTEN 349/vpnserver
tcp6 0 0 :::1194 :::* LISTEN 349/vpnserver
udp 0 0 0.0.0.0:55306 0.0.0.0:* 349/vpnserver
udp 0 0 XXX.XXX.XX.XX:40000 0.0.0.0:* 349/vpnserver
udp 0 0 0.0.0.0:59471 0.0.0.0:* 349/vpnserver
udp 0 0 XXX.XXX.XX.XX:1194 0.0.0.0:* 349/vpnserver
udp 0 0 192.168.7.1:1194 0.0.0.0:* 349/vpnserver
udp 0 0 127.0.0.1:1194 0.0.0.0:* 349/vpnserver
udp 0 0 XXX.XXX.XX.XX:4500 0.0.0.0:* 349/vpnserver
udp 0 0 192.168.7.1:4500 0.0.0.0:* 349/vpnserver
udp 0 0 127.0.0.1:4500 0.0.0.0:* 349/vpnserver
udp 0 0 XXX.XXX.XX.XX:500 0.0.0.0:* 349/vpnserver
udp 0 0 192.168.7.1:500 0.0.0.0:* 349/vpnserver
udp 0 0 127.0.0.1:500 0.0.0.0:* 349/vpnserver
udp 0 0 0.0.0.0:34294 0.0.0.0:* 348/vpnserver
udp 0 0 0.0.0.0:43573 0.0.0.0:* 349/vpnserver
udp 0 0 0.0.0.0:49863 0.0.0.0:* 349/vpnserver
udp6 0 0 fe80::5c27:35ff:fe:1194 :::* 349/vpnserver
udp6 0 0 fe80::5054:ff:fe76:1194 :::* 349/vpnserver
udp6 0 0 2a06:f901:1:100::2:1194 :::* 349/vpnserver
udp6 0 0 ::1:1194 :::* 349/vpnserver
udp6 0 0 fe80::5c27:35ff:fe:4500 :::* 349/vpnserver
udp6 0 0 fe80::5054:ff:fe76:4500 :::* 349/vpnserver
udp6 0 0 2a06:f901:1:100::2:4500 :::* 349/vpnserver
udp6 0 0 ::1:4500 :::* 349/vpnserver
udp6 0 0 fe80::5c27:35ff:fe5:500 :::* 349/vpnserver
udp6 0 0 fe80::5054:ff:fe76::500 :::* 349/vpnserver
udp6 0 0 2a06:f901:1:100::29:500 :::* 349/vpnserver
udp6 0 0 ::1:500 :::* 349/vpnserverCode: Select all
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), allow (routed)
New profiles: skip
To Action From
-- ------ ----
xxxx (ssh) ALLOW IN Anywhere
80 ALLOW IN Anywhere
443 ALLOW IN Anywhere
5555 ALLOW IN Anywhere
992 ALLOW IN Anywhere
1194 ALLOW IN Anywhere
53 ALLOW IN Anywhere
500 ALLOW IN Anywhere
4500 ALLOW IN Anywhere
2002 (v6) ALLOW IN Anywhere (v6)
80 (v6) ALLOW IN Anywhere (v6)
443 (v6) ALLOW IN Anywhere (v6)
5555 (v6) ALLOW IN Anywhere (v6)
992 (v6) ALLOW IN Anywhere (v6)
1194 (v6) ALLOW IN Anywhere (v6)
53 (v6) ALLOW IN Anywhere (v6)
500 (v6) ALLOW IN Anywhere (v6)
4500 (v6) ALLOW IN Anywhere (v6)