Hairpining - doesnt work

lenovomi · July 9, 2022, 10:51pm

hello,
i am trying to add one hairpin rule to my running router without any success.... any idea why?

root@OpenWrt-main-router:~# iptables -t nat -A PREROUTING -i br-lan -s 10.0.1.0/24 -d {Public_IP_ADDR}/32 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 10.0.1.104:8123
root@OpenWrt-main-router:~# iptables -t nat -A  POSTROUTING -o br-lan -s 10.0.1.0/24 **-d 10.0.1.104/32** -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.104

i also tried

iptables -t nat -A  POSTROUTING -o br-lan -s 10.0.1.0/24 **-d 10.0.1.1** -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.104

scenario is almost the same as described here ... just different ports of service instead of 25 ... its 8123

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  anywhere             anywhere             /* !fw3: Custom prerouting rule chain */
zone_lan_prerouting  all  --  anywhere             anywhere             /* !fw3 */
zone_lan_prerouting  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_prerouting  all  --  anywhere             anywhere             /* !fw3 */
DNAT       tcp  --  10.0.1.0/24          PUBLIC_IP  tcp dpt:8123 to:10.0.1.104:8123

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere             /* !fw3: Custom postrouting rule chain */
zone_lan_postrouting  all  --  anywhere             anywhere             /* !fw3 */
zone_lan_postrouting  all  --  anywhere             anywhere             /* !fw3 */
zone_wan_postrouting  all  --  anywhere             anywhere             /* !fw3 */
SNAT       tcp  --  10.0.1.0/24          OpenWrt-main-router.lan  tcp dpt:8123 to:10.0.1.104


Chain zone_wan_postrouting (1 references)
target     prot opt source               destination
postrouting_wan_rule  all  --  anywhere             anywhere             /* !fw3: Custom wan postrouting rule chain */
MASQUERADE  all  --  anywhere             anywhere             /* !fw3 */

and there are also these rules as part of the port forwarding

root@OpenWrt-main-router:~# iptables -L -t nat   | grep 8123
DNAT       tcp  --  10.0.1.0/24          {iPUBLIC_IP}  tcp dpt:8123 to:10.0.1.104:8123
SNAT       tcp  --  10.0.1.0/24          homeassistant.lan    tcp dpt:8123 to:10.0.1.104
SNAT       tcp  --  10.0.1.0/24          homeassistant.lan    tcp dpt:8123 /* !fw3: hass (reflection) */ to:10.0.1.1
SNAT       tcp  --  192.168.9.0/24       homeassistant.lan    tcp dpt:8123 /* !fw3: hass (reflection) */ to:192.168.9.1
DNAT       tcp  --  10.0.1.0/24          192.168.0.4          tcp dpt:8123 /* !fw3: hass (reflection) */ to:10.0.1.104:8123
DNAT       tcp  --  192.168.9.0/24       192.168.0.4          tcp dpt:8123 /* !fw3: hass (reflection) */ to:10.0.1.104:8123
DNAT       tcp  --  anywhere             anywhere             tcp dpt:8123 /* !fw3: hass */ to:10.0.1.104:8123

where 192.168.0.4 is the IP of the router to which is my openwrt router connected via its wlan iface.

and 192.168.9.1 is openvpn interface

any idea - what is wrong?

thanks!

trendy · July 10, 2022, 1:24pm

Packets will never hit this rule, as it is placed after the jump to zone_lan_prerouting or zone_lan_postrouting, which don't have any RETURN to continue the travel in the PREROUTING or POSTROUTING.

lenovomi · July 10, 2022, 8:21pm

@trendy no idea... what return are we talking about?
do i have to insert these rules before zone_lan_postrouting etc... also no clue why these are there 2x etc...

trendy · July 10, 2022, 9:28pm

https://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#RETURNTARGET

Inside the zone prerouting and postrouting is more appropriate.

lenovomi · July 10, 2022, 9:28pm

The RETURN target will cause the current packet to stop traveling through the chain where it hit the rule.

i think packet should travel between these chains...

lenovomi · July 10, 2022, 9:30pm

is it possible to somehow add my rules into these zones .. .from cmd; using iptables.. ?thx

still no idea why zones are there 2x in post/pre routing... like that

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postrouting_rule all -- anywhere anywhere /* !fw3: Custom postrouting rule chain /
zone_lan_postrouting all -- anywhere anywhere / !fw3 /
zone_lan_postrouting all -- anywhere anywhere / !fw3 /
zone_wan_postrouting all -- anywhere anywhere / !fw3 */
SNAT tcp -- 10.0.1.0/24 x.lan tcp dpt:8123 to:10.0.1.104

trendy · July 10, 2022, 9:33pm

Yes, sure it is. To survive a reboot it's advised to enter them inside /etc/firewall.user

Use iptables-save -c -t nat to see the whole rule.

lenovomi · July 10, 2022, 9:39pm

seems rules are invalid ...

iptables -t nat -A zone_lan_prerouting  -i br-lan -s 10.0.1.0/24 -d  {public_ip}/32 -p tcp -m tcp --dport 8123 -j DNAT --to-destination 10.0.1.104:8123

iptables -t nat -A zone_lan_postrouting  -o br-lan -s 10.0.1.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.104

same when i tried postrouting_rule / prerouting_rule...

Lynx · July 10, 2022, 10:11pm

(Apparently one or more individuals were not amused by the posting of an image of a hairpin).

lenovomi · July 10, 2022, 10:12pm

not really.

trendy · July 11, 2022, 5:42am

This thing will definitely not work as you are SNATing to the same IP that you are DNATing. Also input and output interfaces are not needed, as you can see from the other rules created by the system.

lenovomi · July 11, 2022, 9:01am

i was following

and they did it in similar fashion... ?

trendy · July 11, 2022, 9:23am

They might have done it in a similar way, but you should use the correct values in your case.

lenovomi · July 11, 2022, 9:40am

hi,
could you advise here? I might miss something

trendy · July 11, 2022, 9:50am

If you have a look at the rules generated by OpenWrt, you'll see that the IP used for SNAT is 10.0.1.1

lenovomi · July 11, 2022, 10:29am

which openwrt generated rules?
i am adding

iptables -t nat -A zone_lan_postrouting -o br-lan -s 10.0.1.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.104

trendy · July 11, 2022, 10:45am

I told you it is wrong to do SNAT to the same IP as the DNAT. Packet cannot have the same source and destination address. Switch SNAT address to 10.0.1.1

lenovomi · July 11, 2022, 5:59pm

doesnt make a sense... why 10.0.1.1?

i tried ...
iptables -t nat -A postrouting_rule -o br-lan -s 10.0.1.0/24 -d 10.0.1.104/32 -p tcp -m tcp --dport 8123 -j SNAT --to-source 10.0.1.1

its not working stil....

i think we are here just shooting some nonsense? iptables rules... with random changes and with no solution ...all the time different issue with no solution ...

trendy · July 11, 2022, 6:30pm

Because you need to change the source address of the packet to the one of the router.

Post here the output of iptables-save -c and to have a look what is the running config.

Maybe you are using the wrong DNS? Or maybe you are trying again to hairpin through the ISP router?
Or is it just the time of the year that you remember that hairpin in OpenWrt is not working and it's everyone else to blame?

Bill · July 11, 2022, 7:09pm