Hairpinning in Linux

6

2

I have a router in which I installed a Linux system.

I want my router to support NAT hairpinning.

Does a such feature exists in Kernel Linux? If yes how to activate it? Are there a patch to apply it on my kernel to support hairpinning?

Hairpinning explanation from Wikipedia:

Let us consider a private network with the following:

    Gateway address: 192.168.0.1
    Host 1: 192.168.0.5
    Host 2: 192.168.0.7

    The gateway has an external IP : 192.0.2.1
    Host 1 runs a P2P application P1 on its port 12345 which is externally mapped to 4444.
    Host 2 runs a P2P application P2 on its port 12345 which is externally mapped to 5555.

If the NAT device supports hairpinning, then P1 application can connect to the P2 application using the external endpoint 192.0.2.1:5555.
If not, the communication will not work.

Mohamed KALLEL

Posted 2015-11-04T15:29:56.410

Reputation: 319

https://serverfault.com/questions/205040/accessing-the-dnatted-webserver-from-inside-the-lan – LawrenceC – 2015-11-04T15:44:35.937

@LawrenceC is not a P2P applications as indicated in the explianation – Mohamed KALLEL – 2015-11-04T15:49:21.120

Does the WAN interface of your router have a public or private IP address? – MariusMatutiae – 2015-11-04T16:58:05.010

@MariusMatutiae The wan IP address is public – Mohamed KALLEL – 2015-11-04T17:21:30.907

1

You set up hairpinning by first setting up port forwarding and then adding an additional NAT rule to NAT the source address when the source IP is local.

– David Schwartz – 2015-11-04T17:28:40.957

@DavidSchwartz I found this patch to apply NAT hairpin to linux 2.6.13 http://lists.netfilter.org/pipermail/netfilter-devel/2006-January/023069.html . But I m working on linux 2.6.28. And the difference between both kernel is big in the netfilter

– Mohamed KALLEL – 2015-11-04T17:40:45.413

NAT hairpin is just a form of dual NAT. You have regular port forwarding and you have an additional rule to NAT the source address when it's local. You can just add this additional rule. No special support for hairpinning is needed because Linux has had full support for dual NAT (NAT both before and after routing) for ages. – David Schwartz – 2015-11-04T17:43:53.727

@DavidSchwartz The mapped port by the P2P applications in the LAN are random and not static so it's hard to define it via iptables – Mohamed KALLEL – 2015-11-04T17:48:16.383

@MohamedKALLEL Then how could the router possibly know which machine to forward them to? Say it receives a packet from a source it has never seen before and to a destination port it has never seen before. How could it possibly know which of the various machines running the P2P app the packet should go to? You need something like UPnP (where the machines tell the router what they're doing). – David Schwartz – 2015-11-04T17:54:53.940

@DavidSchwartz example of P2P working in that way is Skype. If your gateway is supporting NAT hairpining then you can communicate in skype with other person in your lan without your traffic go to the external – Mohamed KALLEL – 2015-11-05T08:55:20.447

@MohamedKALLEL Skype isn't a pure P2P application. It's server mediated. Is that what you're asking about? – David Schwartz – 2015-11-05T18:17:34.317

Answers

1

As pointed out in the comments, the way to do this is to create two NAT rules for both internal services, like this:

iptables -t nat -A PREROUTING -d public.ip -p tcp --dport 4444 -j DNAT --to inthost1:12345
iptables -t nat -A PREROUTING -d public.ip -p tcp --dport 5555 -j DNAT --to inthost2:12345
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d inthost1 -p tcp --dport 12345 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d inthost2 -p tcp --dport 12345 -j MASQUERADE

This way if one internal host sends a packet to the other, it will appear to come from the "gateway" (the NAT box), so that the NAT box gets the reply and can forward it to the other internal box.

András Korn

Posted 2015-11-04T15:29:56.410

Reputation: 266

Asked: 2015-11-04T15:29:56.410

Viewed: 3 805 times

Active: 2018-04-17T00:13:08.667