4

How to track nat outgoing connections with nftables. Just need to look at nat stats, which output addresses used more or less.

root@nat-1:~# nft list table nat
table ip nat {
    chain post {
            type nat hook postrouting priority 100; policy accept;
            ip saddr 10.0.0.0/8 oif "bond0.926" snat to 19.246.159.1-19.246.159.7
    }

    chain pre {
            type nat hook prerouting priority -100; policy accept;
    }
}

netstat-nat works with iptables but not with nftables anymore.

netstat-nat -S
Could not read info about connections from the kernel, make sure netfilter is enabled in kernel or by modules.

I can of course use tcpdump, but there should be some nicer utility ;-)

Tomato
  • 69
  • 1
  • 8

1 Answers1

5

iptables or nftables aren't doing NAT: netfilter does it. iptables and nftables are using hooks into netfilter to give some "orders" to create new NAT states. Once done, it's all handled directly by netfilter (that's why, for both iptables and nftables, only the first packet of a nat table/type is seen). So in the end the NAT state keeper is netfilter and its conntrack subsystem.

Now, netstat-nat uses the kernel provided file /proc/net/nf_conntrack to display conntrack informations. If this file is not available (eg: not having full root privileges, being run in a container not mapping this part of /proc etc.) you can get an error. I don't know why it's not, but anyway, here's the specific conntrack backend tool: conntrack (from conntrack-tools) which relies exclusively on the newer API (netlink) rather than /proc. From its manpage, the equivalent command (with a completely different output of course) would be:

conntrack -L -n

COMMANDS
[...]
-L --dump
    List connection tracking or expectation table
[...]
-E, --event
    Display a real-time event log.
[...]

FILTER PARAMETERS
[...]
-n, --src-nat
    Filter source NAT connections.

You can even follow source NAT states in real-time using the event mode:

conntrack -E -n
A.B
  • 9,037
  • 2
  • 19
  • 37