nftables routing .. working now ;)

(0 comments)

So I was thinking of replacing my iptables stuff with nftables .. so what better chance to use than a new server in a seperate network segment - hardware wise, and a different subnet.

Turns out it was a bit more challenging than I had thought since the nftables syntax is nothing like iptables ..

After trying to figure out my basic MASQUERADE iptables stuff i went looking online a bit and found out about iptables-restore-translate .. a tool to take iptables-save output and generate nftables .. I figured it has to be working well enough for my simple masquerading/nat needs -- add a few port forwards and a pinhole nat (didn't test the later 2 yet as not needed right now). Anyway long story short it worked great :)

Oh for fellow gentoo users don't forget to add the USE vars needed .. In my case I had USE="conntrack ipv6 netlink nftables pcap" -- without nftables (I think) you don't get iptables-restore-translate.

so anyway my basic nftables for my routing needs (MASQUERADE):

add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority 0; policy accept; }
add chain ip nat INPUT { type nat hook input priority 0; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority 0; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 0; policy accept; }
add rule ip nat POSTROUTING oifname enp96s0f0 counter masquerade
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT iifname lo ct state new counter accept
add rule ip filter INPUT iifname enp96s0f1 ct state new counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter FORWARD ct state related,established counter accept
add rule ip filter OUTPUT oifname lo ct state new counter accept
add rule ip filter OUTPUT oifname enp96s0f1 ct state new counter accept
add rule ip filter OUTPUT ct state related,established counter accept

not too difficult if one knows the syntax.. but figuring all that out was a bit of a pain. Thankfully with the translate tool it was pretty simple after all. oh btw enp96s0f0 is the WAN interface amd enp96s0f1 LAN.

So just save this as a file and load it with nft -f <filename>

Oh and if someone is interested here is the source material for those generated rules:

*nat
:PREROUTING ACCEPT [1869378:196527795]
:INPUT ACCEPT [113774:26909651]
:OUTPUT ACCEPT [31895:2321268]
:POSTROUTING ACCEPT [173204:8207729]
-A POSTROUTING -o enp96s0f0 -j MASQUERADE
*filter
:INPUT ACCEPT [42:1820]
:FORWARD ACCEPT [1823535:183892451]
:OUTPUT ACCEPT [11:684]
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i enp96s0f1 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 11194 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -m state --state NEW -j ACCEPT
-A OUTPUT -o enp96s0f1 -m state --state NEW -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

still simpler but well nftables will at some point replace iptables

Current rating: 5

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

Recent Posts

Archive

2020
2019
2018
2014
2012
2011
2010
2009
2008
2007

Categories

Authors

Feeds

RSS / Atom