Hairpinning in Linux

linux networking kernel nat linux-kernel

6,792

As pointed out in the comments, the way to do this is to create two NAT rules for both internal services, like this:

iptables -t nat -A PREROUTING -d public.ip -p tcp --dport 4444 -j DNAT --to inthost1:12345
iptables -t nat -A PREROUTING -d public.ip -p tcp --dport 5555 -j DNAT --to inthost2:12345
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d inthost1 -p tcp --dport 12345 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d inthost2 -p tcp --dport 12345 -j MASQUERADE

This way if one internal host sends a packet to the other, it will appear to come from the "gateway" (the NAT box), so that the NAT box gets the reply and can forward it to the other internal box.

6,792

Mohamed KALLEL

Contact me on LinkedIn.

Updated on September 18, 2022

Comments

Mohamed KALLEL over 1 year
I have a router in which I installed a Linux system.

I want my router to support NAT hairpinning.

Does a such feature exists in Kernel Linux? If yes how to activate it? Are there a patch to apply it on my kernel to support hairpinning?

Hairpinning explanation from Wikipedia:
```
Let us consider a private network with the following:

    Gateway address: 192.168.0.1
    Host 1: 192.168.0.5
    Host 2: 192.168.0.7

    The gateway has an external IP : 192.0.2.1
    Host 1 runs a P2P application P1 on its port 12345 which is externally mapped to 4444.
    Host 2 runs a P2P application P2 on its port 12345 which is externally mapped to 5555.

If the NAT device supports hairpinning, then P1 application can connect to the P2 application using the external endpoint 192.0.2.1:5555.
If not, the communication will not work.
```
- LawrenceC over 8 years
  
  serverfault.com/questions/205040/…
- Mohamed KALLEL over 8 years
  
  @LawrenceC is not a P2P applications as indicated in the explianation
- MariusMatutiae over 8 years
  
  Does the WAN interface of your router have a public or private IP address?
- Mohamed KALLEL over 8 years
  
  @MariusMatutiae The wan IP address is public
- David Schwartz over 8 years
  
  You set up hairpinning by first setting up port forwarding and then adding an additional NAT rule to NAT the source address when the source IP is local.
- Mohamed KALLEL over 8 years
  
  @DavidSchwartz I found this patch to apply NAT hairpin to linux 2.6.13 lists.netfilter.org/pipermail/netfilter-devel/2006-January/… . But I m working on linux 2.6.28. And the difference between both kernel is big in the netfilter
- David Schwartz over 8 years
  
  NAT hairpin is just a form of dual NAT. You have regular port forwarding and you have an additional rule to NAT the source address when it's local. You can just add this additional rule. No special support for hairpinning is needed because Linux has had full support for dual NAT (NAT both before and after routing) for ages.
- Mohamed KALLEL over 8 years
  
  @DavidSchwartz The mapped port by the P2P applications in the LAN are random and not static so it's hard to define it via iptables
- David Schwartz over 8 years
  
  @MohamedKALLEL Then how could the router possibly know which machine to forward them to? Say it receives a packet from a source it has never seen before and to a destination port it has never seen before. How could it possibly know which of the various machines running the P2P app the packet should go to? You need something like UPnP (where the machines tell the router what they're doing).
- Mohamed KALLEL over 8 years
  
  @DavidSchwartz example of P2P working in that way is Skype. If your gateway is supporting NAT hairpining then you can communicate in skype with other person in your lan without your traffic go to the external
- David Schwartz over 8 years
  
  @MohamedKALLEL Skype isn't a pure P2P application. It's server mediated. Is that what you're asking about?