Bug #3248

hairpin nat intercepts outgoing traffic if port forward is on Any ip

Added by Filippo Carletti almost 6 years ago. Updated almost 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

With hairpin nat enabled and port forward configured to Any WAN IP, the firewall intercepts all outgoing traffic on the port forwarded port.
See the following dnat rule:

 pkts bytes target     prot opt in     out     source               destination
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 to:192.168.1.1:443

This rule redirects all outgoing https traffic to an internal host 192.168.1.1.


Related issues

Related to NethServer 6 - Bug #3232: hairpin nat - shorewall syntax error with port-range port... CLOSED

Associated revisions

Revision bcb20f92
Added by Filippo Carletti almost 6 years ago

Expand all WAN IPs if no one has been selected. Refs #3248

Replaces the '-' in /etc/shorewall/rules with an explicit list of WAN
IPs.

Revision 4c2f5bc6
Added by Davide Principi almost 6 years ago

Increase Release number to override HOTFIX 2.7.0-2. Refs #3248

History

#1 Updated by Filippo Carletti almost 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#2 Updated by Filippo Carletti almost 6 years ago

Workaround: always select a WAN IP if using hairpin nat.

#3 Updated by Filippo Carletti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Filippo Carletti
  • % Done changed from 20 to 30

A fix could use all wan ip addresses if no wan ip has been selected.
shorewall has a specific syntax: &ethX

#4 Updated by Filippo Carletti almost 6 years ago

The same DNAT rule:

 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            93.x.x.x         tcp dpt:443 /* from net */ to:192.168.1.1:443

#5 Updated by Davide Principi almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

MODIFIED

#6 Updated by Davide Principi almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing/6.6
nethserver-firewall-base-2.7.0-3.5.g4c2f5bc.ns6.noarch.rpm

#7 Updated by Filippo Carletti almost 6 years ago

  • Related to Bug #3232: hairpin nat - shorewall syntax error with port-range port fwd and IPS added

#8 Updated by Davide Principi almost 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

VERIFIED

Tested on host with eth1 DHCP red and alias eth1:0, PF destination Any on port 80 to LAN host.

Without hairpin, before upgrade (nethserver-firewall-base-2.7.0-2.ns6.noarch):
  • connection from net zone to port 80, forwarded OK
  • connection from loc zone to external web site OK
Without hairpin, after upgrade (nethserver-firewall-base-2.7.0-3.5.g4c2f5bc.ns6.noarch.rpm from nethserver-testing):
  • connection from net zone to port 80, forwarded OK
  • connection from loc zone to external web site OK

Differences (without hairpin)

[root@vm5 ~]# diff -u nat.{1,2}
--- nat.1    2015-09-02 07:36:42.971513779 +0000
+++ nat.2    2015-09-02 07:37:34.316825037 +0000
@@ -15,4 +15,5 @@

 Chain net_dnat (1 references)
 target     prot opt source               destination         
-DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 /* from net */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.64        tcp dpt:80 /* from net */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.231       tcp dpt:80 /* from net */ to:192.168.122.22:80 
[root@vm5 ~]# diff -u rules.{1,2}
--- rules.1    2015-09-02 07:37:08.561157499 +0000
+++ rules.2    2015-09-02 07:37:30.308874899 +0000
@@ -77,10 +77,10 @@
 #

 #
-# PF     -:80 -> 192.168.122.22:80  
+# PF     &eth1,192.168.5.231:80 -> 192.168.122.22:80  
 #
 ?COMMENT  from net
-DNAT    net    loc:192.168.122.22:80    tcp    80    -    -
+DNAT    net    loc:192.168.122.22:80    tcp    80    -    &eth1,192.168.5.231

 #
 # 60rules


With hairpin, before upgrade:
  • connection from net zone to port 80, forwarded OK
  • connection from loc zone to external web site, FAILED (was forwarded back to LAN)
With hairpin, after upgrade:
  • connection from net zone to port 80, forwarded OK
  • connection from loc zone to external web site OK

Differences (with hairpin)

[root@vm5 ~]# diff -u  nat.{3,4}
--- nat.3    2015-09-02 07:49:27.780292403 +0000
+++ nat.4    2015-09-02 07:54:31.170926978 +0000
@@ -21,8 +21,10 @@

 Chain loc_dnat (1 references)
 target     prot opt source               destination         
-DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 /* from loc */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.64        tcp dpt:80 /* from loc */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.231       tcp dpt:80 /* from loc */ to:192.168.122.22:80 

 Chain net_dnat (1 references)
 target     prot opt source               destination         
-DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 /* from net */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.64        tcp dpt:80 /* from net */ to:192.168.122.22:80 
+DNAT       tcp  --  0.0.0.0/0            192.168.5.231       tcp dpt:80 /* from net */ to:192.168.122.22:80 
[root@vm5 ~]# diff -u  rules.{3,4}
--- rules.3    2015-09-02 07:49:51.593253343 +0000
+++ rules.4    2015-09-02 07:54:33.624922020 +0000
@@ -77,12 +77,12 @@
 #

 #
-# PF     -:80 -> 192.168.122.22:80  
+# PF     &eth1,192.168.5.231:80 -> 192.168.122.22:80  
 #
 ?COMMENT  from net
-DNAT    net    loc:192.168.122.22:80    tcp    80    -    -
+DNAT    net    loc:192.168.122.22:80    tcp    80    -    &eth1,192.168.5.231
 ?COMMENT  from loc
-DNAT    loc    loc:192.168.122.22:80    tcp    80    -    -
+DNAT    loc    loc:192.168.122.22:80    tcp    80    -    &eth1,192.168.5.231

 #
 # 60rules

#9 Updated by Davide Principi almost 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates/6.6
nethserver-firewall-base-2.7.1-1.ns6.noarch.rpm

#10 Updated by Davide Principi almost 6 years ago

  • Affected version set to v6.6

Also available in: Atom PDF