-1

Good day,

I am currently migrating from iptables to nftables. The problem is my systemd containers are running behind NAT, but I want to forward ports like 443 or 80 to them. There is no error message when I use the following set of commands, but neither do I get to my web server when I use nftables.

Many thanks in advance.

With best regards, Felix

EDIT.: The problem was solved by the helpful comments. Thank you!

TheGoliath
  • 13
  • 1
  • 4
  • 1
    Please make sure any relevant information is in your question, not linked to an external site. Especially since the external site you linked to is broken. – Michael Hampton Feb 04 '18 at 19:22
  • just in case, add the nat output chain even if not used, to rule out a current "bug" not very documented but known for long. eg: https://marc.info/?l=netfilter&m=152532769025083&w=2 – A.B May 10 '18 at 16:11

2 Answers2

1

Here are some steps you can take:

  1. Type nat hook prerouting priority 0; <-Should be -100 (minus hundred) according to NF_IP_PRI_NAT_DST netfilter constant
  2. Use "meta nftrace set 1" in prerouting and "nft monitor" for debug you packet flow
  3. Simplest ruleset to isolate problem and make example

I also have not working dnat. From one iface all OK but from other not.

Packets enter prerouting, dnat accepted But nothing happens after this. "Conntrac -E" does not see these packages.

JonathanDavidArndt
  • 1,414
  • 3
  • 20
  • 29
Роман Иванов
  • 11
  • 1
0

Thanks to Роман Иванов for useful nft monitor.

NAT doesn't work because i use this rule at the end of filter forward:

iifname wan0 reject

in chain NAT you need rule:

NAT => PREROUTING

nft add rule nat prerouting iifname wan0 tcp dport { 80, 443 } dnat 192.168.0.10

in chain FILTER you need rule:

FILTER => FORWARD

nft add rule filter forward iifname wan0 oifname lan0 ip daddr 192.168.0.10 tcp dport { 80, 443 } accept
XakRu
  • 348
  • 4
  • 8