Feature #2989

Hairpin nat

Added by Filippo Carletti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Resolution: NEEDINFO:No

Description

While split-dns is far better, hairpin nat is a wrong but practical solution, sometimes.
For some background see:
http://shorewall.net/FAQ.htm#faq2

hairpin_nat.tar.gz (1.36 KB) Filippo Carletti, 12/19/2014 10:01 AM


Related issues

Related to NethServer 6 - Enhancement #3083: firewall: routeback on all interfaces CLOSED

Associated revisions

Revision 161e4fac
Added by Giacomo Sanchietti over 6 years ago

port forward: add hairpin nat support. Refs #2989

Revision d42ef41c
Added by Giacomo Sanchietti over 6 years ago

Web UI: add hairpin NAT interface. Refs #2989

History

#1 Updated by Filippo Carletti over 6 years ago

At the moment, hairpin nat could be implemented on all port forwards with 3 custom templates:
1. interfaces
- $OUT .= "loc\t".$i->key."\tnosmurfs";
+ $OUT .= "loc\t".$i->key."\tnosmurfs,routeback";

2. rules (see attachment)
3. masq (see attachment)

#2 Updated by Filippo Carletti over 6 years ago

Implementing a gui, we could let the user select if the nat could also be valid from inside.

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Target version set to ~FUTURE

#4 Updated by Filippo Carletti over 6 years ago

We can add a master switch that, if enabled, treats all port forwards as "reflective". The switch should go in the Configure -> Firewall rules page.

#5 Updated by Filippo Carletti over 6 years ago

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version changed from ~FUTURE to v6.6
  • % Done changed from 0 to 20

Also create a "Configure" button inside the "Port forward" page to enable the hairpin NAT for all configured port forwards.

#7 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#8 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#9 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.4.0-1.2.gd42ef41.ns6.noarch.rpm
Test case
  • Create a port forward
  • Enable hairpin nat
  • Try to access the port forward from green zone

#10 Updated by Filippo Carletti over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

After enabling hairpin nat, my port forwards work when I access from the lan.

#11 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-firewall-base-2.5.0-1.ns6.noarch.rpm

Also available in: Atom PDF