Bug #3248
hairpin nat intercepts outgoing traffic if port forward is on Any ip
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6 | NEEDINFO: | No |
Description
With hairpin nat enabled and port forward configured to Any WAN IP, the firewall intercepts all outgoing traffic on the port forwarded port.
See the following dnat rule:
pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 to:192.168.1.1:443
This rule redirects all outgoing https traffic to an internal host 192.168.1.1.
Related issues
Associated revisions
Expand all WAN IPs if no one has been selected. Refs #3248
Replaces the '-' in /etc/shorewall/rules with an explicit list of WAN
IPs.
Increase Release number to override HOTFIX 2.7.0-2. Refs #3248
History
#1 Updated by Filippo Carletti almost 6 years ago
- Category set to nethserver-firewall-base
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#2 Updated by Filippo Carletti almost 6 years ago
Workaround: always select a WAN IP if using hairpin nat.
#3 Updated by Filippo Carletti almost 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Filippo Carletti
- % Done changed from 20 to 30
A fix could use all wan ip addresses if no wan ip has been selected.
shorewall has a specific syntax: ðX
#4 Updated by Filippo Carletti almost 6 years ago
The same DNAT rule:
pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 93.x.x.x tcp dpt:443 /* from net */ to:192.168.1.1:443
#5 Updated by Davide Principi almost 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 30 to 60
MODIFIED
#6 Updated by Davide Principi almost 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
In nethserver-testing/6.6
nethserver-firewall-base-2.7.0-3.5.g4c2f5bc.ns6.noarch.rpm
#7 Updated by Filippo Carletti almost 6 years ago
- Related to Bug #3232: hairpin nat - shorewall syntax error with port-range port fwd and IPS added
#8 Updated by Davide Principi almost 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
VERIFIED
Tested on host with eth1 DHCP red and alias eth1:0, PF destination Any on port 80 to LAN host.
Without hairpin, before upgrade (nethserver-firewall-base-2.7.0-2.ns6.noarch):- connection from net zone to port 80, forwarded OK
- connection from loc zone to external web site OK
- connection from net zone to port 80, forwarded OK
- connection from loc zone to external web site OK
Differences (without hairpin)
[root@vm5 ~]# diff -u nat.{1,2}
--- nat.1 2015-09-02 07:36:42.971513779 +0000
+++ nat.2 2015-09-02 07:37:34.316825037 +0000
@@ -15,4 +15,5 @@
Chain net_dnat (1 references)
target prot opt source destination
-DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* from net */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.64 tcp dpt:80 /* from net */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.231 tcp dpt:80 /* from net */ to:192.168.122.22:80
[root@vm5 ~]# diff -u rules.{1,2}
--- rules.1 2015-09-02 07:37:08.561157499 +0000
+++ rules.2 2015-09-02 07:37:30.308874899 +0000
@@ -77,10 +77,10 @@
#
#
-# PF -:80 -> 192.168.122.22:80
+# PF ð1,192.168.5.231:80 -> 192.168.122.22:80
#
?COMMENT from net
-DNAT net loc:192.168.122.22:80 tcp 80 - -
+DNAT net loc:192.168.122.22:80 tcp 80 - ð1,192.168.5.231
#
# 60rules
With hairpin, before upgrade:
- connection from net zone to port 80, forwarded OK
- connection from loc zone to external web site, FAILED (was forwarded back to LAN)
- connection from net zone to port 80, forwarded OK
- connection from loc zone to external web site OK
Differences (with hairpin)
[root@vm5 ~]# diff -u nat.{3,4}
--- nat.3 2015-09-02 07:49:27.780292403 +0000
+++ nat.4 2015-09-02 07:54:31.170926978 +0000
@@ -21,8 +21,10 @@
Chain loc_dnat (1 references)
target prot opt source destination
-DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* from loc */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.64 tcp dpt:80 /* from loc */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.231 tcp dpt:80 /* from loc */ to:192.168.122.22:80
Chain net_dnat (1 references)
target prot opt source destination
-DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* from net */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.64 tcp dpt:80 /* from net */ to:192.168.122.22:80
+DNAT tcp -- 0.0.0.0/0 192.168.5.231 tcp dpt:80 /* from net */ to:192.168.122.22:80
[root@vm5 ~]# diff -u rules.{3,4}
--- rules.3 2015-09-02 07:49:51.593253343 +0000
+++ rules.4 2015-09-02 07:54:33.624922020 +0000
@@ -77,12 +77,12 @@
#
#
-# PF -:80 -> 192.168.122.22:80
+# PF ð1,192.168.5.231:80 -> 192.168.122.22:80
#
?COMMENT from net
-DNAT net loc:192.168.122.22:80 tcp 80 - -
+DNAT net loc:192.168.122.22:80 tcp 80 - ð1,192.168.5.231
?COMMENT from loc
-DNAT loc loc:192.168.122.22:80 tcp 80 - -
+DNAT loc loc:192.168.122.22:80 tcp 80 - ð1,192.168.5.231
#
# 60rules
#9 Updated by Davide Principi almost 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates/6.6
nethserver-firewall-base-2.7.1-1.ns6.noarch.rpm
#10 Updated by Davide Principi almost 6 years ago
- Affected version set to v6.6