Page 1 of 1

Really strange problem with Hairpin NAT

Posted: Tue Sep 03, 2013 9:46 pm
by RazterOfKefrens
I've configured hairpin NAT in order to access my SSH server running on an internal LAN server. On my SSH server I've set up some ip blocking rules to safeguard against brute force attacks. I thought I had it all configured correctly until one day I noticed that I could no longer connect to my SSH server. I was a bit puzzled so I took a closer look at it and I was in for a big surprise. ALL SSH requests came from my routers's IP address no matter if they were from my internal network or from outside on the internet. Then of course it made sense that I could not connect to my SSH server. If all ssh requests seems to originate from my router IP then it will take about 5 minuttes before someone on the outside has triggered the ip blocking rule.

This is my hairpin nat rules :

Chain=src-nat, Dst. Address=mywanip, Protocol=TCP, Dst.Port=22, action=dst.nat, To Addresses=mylanserverip, To Ports=22
Chain=srcnat, Src. Address=mylanipscope,Dst. Address=mylanserverip, Protocol=TCP, Dst. Port=22, out-interface=lan-bridge, action=masquerade

Re: Really strange problem with Hairpin NAT

Posted: Tue Sep 03, 2013 10:19 pm
by CelticComms
Which other NAT rules do you have?

Re: Really strange problem with Hairpin NAT

Posted: Wed Sep 04, 2013 11:08 am
by RazterOfKefrens
Thanks for spending time on my issue and thanks for asking the right question :D Off course I was to blame. I had by error activated a chain=srcnat action=masquerade rule at the very bottom of my NAT rules. It was part of some experiments i did a long time ago. I had simply forgotten all about it and left it active.

Thanks again. The right question is better than a thousand explanations :)

Re: Really strange problem with Hairpin NAT

Posted: Wed Sep 04, 2013 1:39 pm
by CelticComms

Thanks again. The right question is better than a thousand explanations :)
I'm glad it shone a light on the problem. :)