* nftables DNAT not working
@ 2015-10-21 10:33 palica
2015-10-21 22:01 ` palica
0 siblings, 1 reply; 3+ messages in thread
From: palica @ 2015-10-21 10:33 UTC (permalink / raw)
To: netfilter
hello list,
please help me debug this.
I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related counter packets 303 bytes
18088 accept
ct state invalid counter packets 4 bytes 292 log prefix
"Invalid traffic: " drop
iif lo counter packets 0 bytes 0 accept
ip protocol icmp accept
tcp dport ssh ct state new counter packets 5 bytes 212
log prefix "New SSH connection: " accept
tcp dport { http, https} ct state new counter packets 7
bytes 352 log prefix "New HTTP/S connection: " accept
counter packets 30 bytes 1497 log prefix "Dropped
traffic: " drop
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state new counter packets 0 bytes 0 log prefix
"FORWARD CHAIN: " accept
}
chain output {
type filter hook output priority 0; policy accept;
ct state new counter packets 33 bytes 2476 log prefix
"OUTPUT CHAIN: "
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport { http, https} counter packets 0 bytes 0 log
prefix "DNAT :" dnat 10.0.3.40
log prefix "DNAT prerouting: "
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
snat 37.187.110.20
log prefix "SNAT postrouting: "
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy accept;
iif lo counter packets 0 bytes 0 accept
ct state established,related counter packets 8 bytes 768
accept
ct state invalid counter packets 0 bytes 0 log prefix
"Invalid traffic: " drop
icmpv6 type { nd-router-advert, nd-neighbor-advert,
echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
tcp dport ssh ct state new counter packets 0 bytes 0 log
prefix "New SSH connection: " accept
tcp dport { https, http} ct state new counter packets 2
bytes 160 log prefix "New HTTP/S connection: " accept
udp dport domain ct state new counter packets 0 bytes 0
log prefix "New DOMAIN connection: " accept
counter packets 0 bytes 0 log prefix "Dropped
connection: " drop
}
}
these are the only two packets that get logged upon trying to connect to
port 80
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
SRC=2001:41d0:0008:d609:0000:0000:0000:0001
DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
the network interfaces are br0 the destination for DNAT is a LXC using veth.
What am I doing wrong/ overlooking?
Thank you very much for your time.
Palica
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables DNAT not working
2015-10-21 10:33 nftables DNAT not working palica
@ 2015-10-21 22:01 ` palica
0 siblings, 0 replies; 3+ messages in thread
From: palica @ 2015-10-21 22:01 UTC (permalink / raw)
To: netfilter
ok,
just for the reference this works with iptables:
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*raw
:PREROUTING ACCEPT [3275:234388]
:OUTPUT ACCEPT [2229:414696]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*nat
:PREROUTING ACCEPT [289:10144]
:INPUT ACCEPT [289:10144]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [11:644]
:LXC - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j LXC
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j LXC
-A POSTROUTING -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.3.40/32 -d 10.0.3.40/32 -p tcp -m tcp --dport 80
-j MASQUERADE
-A LXC ! -i lxcbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.0.3.40:80
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*mangle
:PREROUTING ACCEPT [3275:234388]
:INPUT ACCEPT [3151:212528]
:FORWARD ACCEPT [104:20660]
:OUTPUT ACCEPT [2229:414696]
:POSTROUTING ACCEPT [2333:435356]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*filter
:INPUT ACCEPT [291:10240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2229:414696]
:LXC - [0:0]
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j
ssh_whitelist
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j LXC
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A LXC -d 10.0.3.40/32 ! -i lxcbr0 -o lxcbr0 -p tcp -m tcp --dport 80 -j
ACCEPT
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
I have created a lxcbr0 bridge with 10.0.3.1/24 and veth (slave of
lxcbr0) for the LXC has 10.0.3.40/24, the Internet-facing interface was
changed to eth0.
i will try to convert these iptables to nftables tomorrow.
palica
On 10/21/2015 12:33 PM, palica wrote:
> hello list,
>
> please help me debug this.
>
> I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
>
> table ip filter {
> chain input {
> type filter hook input priority 0; policy accept;
> ct state established,related counter packets 303 bytes
> 18088 accept
> ct state invalid counter packets 4 bytes 292 log prefix
> "Invalid traffic: " drop
> iif lo counter packets 0 bytes 0 accept
> ip protocol icmp accept
> tcp dport ssh ct state new counter packets 5 bytes 212
> log prefix "New SSH connection: " accept
> tcp dport { http, https} ct state new counter packets 7
> bytes 352 log prefix "New HTTP/S connection: " accept
> counter packets 30 bytes 1497 log prefix "Dropped
> traffic: " drop
> }
>
> chain forward {
> type filter hook forward priority 0; policy accept;
> ct state new counter packets 0 bytes 0 log prefix
> "FORWARD CHAIN: " accept
> }
>
> chain output {
> type filter hook output priority 0; policy accept;
> ct state new counter packets 33 bytes 2476 log prefix
> "OUTPUT CHAIN: "
> }
> }
> table ip nat {
> chain prerouting {
> type nat hook prerouting priority 0; policy accept;
> tcp dport { http, https} counter packets 0 bytes 0 log
> prefix "DNAT :" dnat 10.0.3.40
> log prefix "DNAT prerouting: "
> }
>
> chain postrouting {
> type nat hook postrouting priority 0; policy accept;
> ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
> snat 37.187.110.20
> log prefix "SNAT postrouting: "
> }
> }
> table ip6 filter {
> chain input {
> type filter hook input priority 0; policy accept;
> iif lo counter packets 0 bytes 0 accept
> ct state established,related counter packets 8 bytes 768
> accept
> ct state invalid counter packets 0 bytes 0 log prefix
> "Invalid traffic: " drop
> icmpv6 type { nd-router-advert, nd-neighbor-advert,
> echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
> tcp dport ssh ct state new counter packets 0 bytes 0 log
> prefix "New SSH connection: " accept
> tcp dport { https, http} ct state new counter packets 2
> bytes 160 log prefix "New HTTP/S connection: " accept
> udp dport domain ct state new counter packets 0 bytes 0
> log prefix "New DOMAIN connection: " accept
> counter packets 0 bytes 0 log prefix "Dropped
> connection: " drop
> }
> }
>
> these are the only two packets that get logged upon trying to connect to
> port 80
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
> SRC=2001:41d0:0008:d609:0000:0000:0000:0001
> DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
> FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
> DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
> SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> the network interfaces are br0 the destination for DNAT is a LXC using veth.
>
> What am I doing wrong/ overlooking?
>
> Thank you very much for your time.
>
> Palica
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 3+ messages in thread
* nftables dnat not working
@ 2014-08-05 8:14 Matteo Croce
0 siblings, 0 replies; 3+ messages in thread
From: Matteo Croce @ 2014-08-05 8:14 UTC (permalink / raw)
To: Netfilter Users Mailing list
Hi,
I'm using nftables on a vanilla 3.16 kernel and nft 0.3.
I want to do port forwarding for TCP port 51413 to host 192.168.0.20 and
I've configured my firewall like this:
table ip nat {
chain post {
type nat hook postrouting priority 0;
ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
}
chain pre {
type nat hook prerouting priority 0;
iif eth0 tcp dport 51413 dnat 192.168.0.20
}
}
no filter chain at all.
from the router I can find the port open:
HPING 192.168.0.20 (br0 192.168.0.20): S set, 40 headers + 0 data bytes
len=44 ip=192.168.0.20 ttl=64 DF id=0 sport=51413 flags=SA seq=0
len=44 ip=192.168.0.20 ttl=64 DF id=0 sport=51413 flags=SA seq=1
from the outside is closed:
HPING 188.218.168.147 (eth0 188.218.168.147): S set, 40 headers + 0 data bytes
len=46 ip=188.218.168.147 ttl=51 DF id=39456 sport=51413 flags=RA seq=0
len=46 ip=188.218.168.147 ttl=51 DF id=39467 sport=51413 flags=RA seq=1
if I sniff in the LAN nothing gets forwarded
Cheers,
--
Matteo Croce
OpenWrt Developer
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-10-21 22:01 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-21 10:33 nftables DNAT not working palica
2015-10-21 22:01 ` palica
-- strict thread matches above, loose matches on Subject: below --
2014-08-05 8:14 nftables dnat " Matteo Croce
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.