Problem with Hairpin nat all of the sudden

v7

(Blake Lee) #1

NethServer Version: 7
Module: firewall

Hello. last night I noticed that hairpin nat stopped working. The port forwards work off the network but I can’t access them from internal anymore. It says refused to connect. I’m not sure what is causing this and I’ve been working at trying to fix it for a few hours now. Hopefully something in the logs below jump out at one of you.

Here is my Shorwall show

[CODE] Chain loc2fw (1 references)
pkts bytes target prot opt in out source destination
83 10803 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
18 3808 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
65 6995 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
65 6995 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 /
chronyd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /
dnsmasq /
2 120 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /
dnsmasq /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:67 /
dnsmasq /
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69 /
dnsmasq /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:980 /
httpd-admin /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3000 /
ntopng /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2525 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 /
slapd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 /
slapd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /
sshd */
16 3688 Reject all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:loc2fw:REJECT:"
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0 [goto]

Chain loc2loc (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 tcp dpt:8006 ctorigdstport 8006 /* Proxmox Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 udp dpt:8006 ctorigdstport 8006 /
Proxmox Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:8443 ctorigdstport 8443 /
OMV Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:8443 ctorigdstport 8443 /
OMV Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:7443 ctorigdstport 7443 /
NextCloud Web Access from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:7443 ctorigdstport 7443 /
NextCloud Web Access from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:8124 ctorigdstport 8124 /
Votifier from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:8124 ctorigdstport 8124 /
Votifier from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:25420 ctorigdstport 25420 /
Minecraft Server from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:25420 ctorigdstport 25420 /
Minecraft Server from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 tcp dpt:25566 ctorigdstport 25566 /
Test Environment from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 udp dpt:25566 ctorigdstport 25566 /
Test Environment from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:22 ctorigdstport 69 /
ssh for Minecraft from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:22 ctorigdstport 69 /
ssh for Minecraft from loc /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 tcp dpt:25569 ctorigdstport 25569 /
Anarchy Minecraft Server from loc /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 udp dpt:25569 ctorigdstport 25569 /
Anarchy Minecraft Server from loc */
0 0 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc2net (1 references)
pkts bytes target prot opt in out source destination
8270 1393K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ~log1 tcp – * * 0.0.0.0/0 0.0.0.0/0 [goto] tcp dpt:25 /* block port 25 from green */
2 1438 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0

Chain loc_frwd (1 references)
pkts bytes target prot opt in out source destination
8272 1394K dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
2 1438 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
8263 1391K tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
0 0 loc2loc all – * eth0 0.0.0.0/0 0.0.0.0/0
8272 1394K loc2net all – * eth1 0.0.0.0/0 0.0.0.0/0

Chain logdrop (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:logdrop:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logflags (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 4 level 6 prefix "Shorewall:logflags:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain logreject (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:logreject:REJECT:"
0 0 reject all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2fw (1 references)
pkts bytes target prot opt in out source destination
3 228 dynamic all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,ESTABLISHED,UNTRACKED
0 0 smurfs all – * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID,NEW,UNTRACKED
0 0 ACCEPT udp – * * 0.0.0.0/0 0.0.0.0/0 udp dpts:67:68
0 0 tcpflags tcp – * * 0.0.0.0/0 0.0.0.0/0
3 228 ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT icmp – * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* Ping /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4190 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:993 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:995 /
dovecot /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 /
httpd /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:980 /
httpd-admin /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:587 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2525 /
postfix /
0 0 ACCEPT tcp – * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 /
sshd */
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2fw:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0

Chain net2loc (1 references)
pkts bytes target prot opt in out source destination
4723 5991K ACCEPT all – * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 tcp dpt:8006 ctorigdstport 8006 /* Proxmox Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.2 ctorigdst 50.4.44.143 udp dpt:8006 ctorigdstport 8006 /
Proxmox Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:8443 ctorigdstport 8443 /
OMV Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:8443 ctorigdstport 8443 /
OMV Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 tcp dpt:7443 ctorigdstport 7443 /
NextCloud Web Access from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.5 ctorigdst 50.4.44.143 udp dpt:7443 ctorigdstport 7443 /
NextCloud Web Access from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:8124 ctorigdstport 8124 /
Votifier from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:8124 ctorigdstport 8124 /
Votifier from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:25420 ctorigdstport 25420 /
Minecraft Server from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:25420 ctorigdstport 25420 /
Minecraft Server from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 tcp dpt:25566 ctorigdstport 25566 /
Test Environment from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.10 ctorigdst 50.4.44.143 udp dpt:25566 ctorigdstport 25566 /
Test Environment from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 tcp dpt:22 ctorigdstport 69 /
ssh for Minecraft from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.7 ctorigdst 50.4.44.143 udp dpt:22 ctorigdstport 69 /
ssh for Minecraft from net /
0 0 ACCEPT tcp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 tcp dpt:25569 ctorigdstport 25569 /
Anarchy Minecraft Server from net /
0 0 ACCEPT udp – * * 0.0.0.0/0 192.168.1.9 ctorigdst 50.4.44.143 udp dpt:25569 ctorigdstport 25569 /
Anarchy Minecraft Server from net /
0 0 ~log0 all – * * 0.0.0.0/0 192.168.1.10 [goto] /
RULE#1 */
0 0 Drop all – * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all – * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "Shorewall:net2loc:DROP:"
0 0 DROP all – * * 0.0.0.0/0 0.0.0.0/0
[/CODE]

Here is where the firewall is blocking it.

x00 SYN URGP=0 Jul 10 11:47:15 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=24238 DF PROTO=TCP SPT=33558 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:15 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59737 DF PROTO=TCP SPT=33560 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:16 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9098 DF PROTO=TCP SPT=33562 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:47:16 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=25036 DF PROTO=TCP SPT=33564 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:56:01 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26554 DF PROTO=TCP SPT=34010 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0 Jul 10 11:56:01 Neth kernel: Shorewall:loc2fw:REJECT:IN=eth0 OUT= MAC=9a:d7:38:76:4f:c0:08:62:66:31:4e:c0:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=3597 DF PROTO=TCP SPT=34012 DPT=8006 WINDOW=29200 RES=0x00 SYN URGP=0

Thanks in advance


(Blake Lee) #2

For an update. Technically harpin nat is working if I use https://50.4.44.143:8006 Just not when I use the URL https://volitank.com:8006

https://volitank.com:8006 works from external though.


(Blake Lee) #3

That’s unfortunate fix. What had happened is I was playing around with the Virtual hosts for a website. Upon disabling it there was an alias for volitank.com and that was causing the issue. Took out the alias and problem solved.