Problem with Hairpin nat all of the sudden

phucktank · July 10, 2017, 4:10pm

NethServer Version: 7
Module: firewall

Hello. last night I noticed that hairpin nat stopped working. The port forwards work off the network but I can’t access them from internal anymore. It says refused to connect. I’m not sure what is causing this and I’ve been working at trying to fix it for a few hours now. Hopefully something in the logs below jump out at one of you.

Here is my Shorwall show

[CODE] Chain loc2fw (1 references)
pkts bytes target prot opt in 83 10803 dynamic all – * 18 3808 smurfs all – * 0 0 ACCEPT udp – * * 65 6995 tcpflags tcp – * 65 6995 ACCEPT all – * 0 0 ACCEPT icmp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT tcp – * * 2 120 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT udp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 0 0 ACCEPT tcp – * * 16 3688 Reject all – * 0 0 LOG all – * * 0 0 reject all – * * out source destination
* 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
* 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
* 0.0.0.0/0 0.0.0.0/0
* 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0.0.0.0/0 0.0.0.0/0 udp dpt:123 / chronyd /
0.0.0.0/0 0.0.0.0/0 tcp dpt:53 / dnsmasq /
0.0.0.0/0 0.0.0.0/0 udp dpt:53 / dnsmasq /
0.0.0.0/0 0.0.0.0/0 udp dpt:67 / dnsmasq /
0.0.0.0/0 0.0.0.0/0 udp dpt:69 / dnsmasq /
0.0.0.0/0 0.0.0.0/0 tcp dpt:110 / dovecot /
0.0.0.0/0 0.0.0.0/0 tcp dpt:143 / dovecot /
0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 / dovecot /
0.0.0.0/0 0.0.0.0/0 tcp dpt:993 / dovecot /
0.0.0.0/0 0.0.0.0/0 tcp dpt:995 / dovecot /
0.0.0.0/0 0.0.0.0/0 tcp dpt:80 / httpd /
0.0.0.0/0 0.0.0.0/0 tcp dpt:443 / httpd /
0.0.0.0/0 0.0.0.0/0 tcp dpt:980 / httpd-admin /
0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 / ntopng /
0.0.0.0/0 0.0.0.0/0 tcp dpt:25 / postfix /
0.0.0.0/0 0.0.0.0/0 tcp dpt:465 / postfix /
0.0.0.0/0 0.0.0.0/0 tcp dpt:587 / postfix /
0.0.0.0/0 0.0.0.0/0 tcp dpt:2525 / postfix /
0.0.0.0/0 0.0.0.0/0 tcp dpt:389 / slapd /
0.0.0.0/0 0.0.0.0/0 tcp dpt:636 / slapd /
0.0.0.0/0 0.0.0.0/0 tcp dpt:22 / sshd */
* 0.0.0.0/0 0.0.0.0/0
0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:loc2fw:REJECT:"
0.0.0.0/0 0.0.0.0/0 [goto]

Chain loc2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 tcp dpt:8006 ctorigdstport 8006 /* Proxmox Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 udp dpt:8006 ctorigdstport 8006 / Proxmox Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:8443 ctorigdstport 8443 / OMV Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:8443 ctorigdstport 8443 / OMV Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:7443 ctorigdstport 7443 / NextCloud Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:7443 ctorigdstport 7443 / NextCloud Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:8124 ctorigdstport 8124 / Votifier from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:8124 ctorigdstport 8124 / Votifier from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:25420 ctorigdstport 25420 / Minecraft Server from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:25420 ctorigdstport 25420 / Minecraft Server from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 tcp dpt:25566 ctorigdstport 25566 / Test Environment from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 udp dpt:25566 ctorigdstport 25566 / Test Environment from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:22 ctorigdstport 69 / ssh for Minecraft from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:22 ctorigdstport 69 / ssh for Minecraft from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 tcp dpt:25569 ctorigdstport 25569 / Anarchy Minecraft Server from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 udp dpt:25569 ctorigdstport 25569 / Anarchy Minecraft Server from loc */
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
8270 1393K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ~log1 tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:25 /* block port 25 from green */
2 1438 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
8272 1394K dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
2 1438 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
8263 1391K tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all – * eth0 0.0.0.0/0 0.0.0.0/0
8272 1394K loc2net all – * eth1 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:logdrop:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:logreject:REJECT:"
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
3 228 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
3 228 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 / dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 / dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 / dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 / dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 / dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 / httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 / httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:980 / httpd-admin /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 / postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 / postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 / postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2525 / postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 / sshd */
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
4723 5991K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 tcp dpt:8006 ctorigdstport 8006 /* Proxmox Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 udp dpt:8006 ctorigdstport 8006 / Proxmox Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:8443 ctorigdstport 8443 / OMV Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:8443 ctorigdstport 8443 / OMV Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:7443 ctorigdstport 7443 / NextCloud Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:7443 ctorigdstport 7443 / NextCloud Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:8124 ctorigdstport 8124 / Votifier from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:8124 ctorigdstport 8124 / Votifier from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:25420 ctorigdstport 25420 / Minecraft Server from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:25420 ctorigdstport 25420 / Minecraft Server from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 tcp dpt:25566 ctorigdstport 25566 / Test Environment from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 udp dpt:25566 ctorigdstport 25566 / Test Environment from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:22 ctorigdstport 69 / ssh for Minecraft from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:22 ctorigdstport 69 / ssh for Minecraft from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 tcp dpt:25569 ctorigdstport 25569 / Anarchy Minecraft Server from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 udp dpt:25569 ctorigdstport 25569 / Anarchy Minecraft Server from net /
0 0 ~log0 all – * * 0.0.0.0/0 192.168.1.10 [goto] / RULE#1 */
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2loc:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0
[/CODE]

Here is where the firewall is blocking it.

x00 SYN URGP=0 Jul 10 11:47:15 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24238 DF PROTO=TCP SPT=33558 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:15 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59737 DF PROTO=TCP SPT=33560 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:16 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9098 DF PROTO=TCP SPT=33562 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:16 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25036 DF PROTO=TCP SPT=33564 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:56:01 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26554 DF PROTO=TCP SPT=34010 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:56:01 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3597 DF PROTO=TCP SPT=34012 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0

Thanks in advance

phucktank · July 10, 2017, 4:59pm

For an update. Technically harpin nat is working if I use https://50.4.44.143:8006 Just not when I use the URL https://volitank.com:8006

https://volitank.com:8006 works from external though.

phucktank · July 10, 2017, 5:22pm

That’s unfortunate fix. What had happened is I was playing around with the Virtual hosts for a website. Upon disabling it there was an alias for volitank.com and that was causing the issue. Took out the alias and problem solved.