All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables DNAT not working
@ 2015-10-21 10:33 palica
  2015-10-21 22:01 ` palica
  0 siblings, 1 reply; 3+ messages in thread
From: palica @ 2015-10-21 10:33 UTC (permalink / raw)
  To: netfilter

hello list,

please help me debug this.

I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset

table ip filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ct state established,related counter packets 303 bytes
18088 accept
                ct state invalid counter packets 4 bytes 292 log prefix
"Invalid traffic: " drop
                iif lo counter packets 0 bytes 0 accept
                ip protocol icmp accept
                tcp dport ssh ct state new counter packets 5 bytes 212
log prefix "New SSH connection: " accept
                tcp dport { http, https} ct state new counter packets 7
bytes 352 log prefix "New HTTP/S connection: " accept
                counter packets 30 bytes 1497 log prefix "Dropped
traffic: " drop
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
                ct state new counter packets 0 bytes 0 log prefix
"FORWARD CHAIN: " accept
        }

        chain output {
                type filter hook output priority 0; policy accept;
                ct state new counter packets 33 bytes 2476 log prefix
"OUTPUT CHAIN: "
        }
}
table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                tcp dport { http, https} counter packets 0 bytes 0 log
prefix "DNAT :" dnat 10.0.3.40
                log prefix "DNAT prerouting: "
        }

        chain postrouting {
                type nat hook postrouting priority 0; policy accept;
                ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
snat 37.187.110.20
                log prefix "SNAT postrouting: "
        }
}
table ip6 filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif lo counter packets 0 bytes 0 accept
                ct state established,related counter packets 8 bytes 768
accept
                ct state invalid counter packets 0 bytes 0 log prefix
"Invalid traffic: " drop
                icmpv6 type { nd-router-advert, nd-neighbor-advert,
echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
                tcp dport ssh ct state new counter packets 0 bytes 0 log
prefix "New SSH connection: " accept
                tcp dport { https, http} ct state new counter packets 2
bytes 160 log prefix "New HTTP/S connection: " accept
                udp dport domain ct state new counter packets 0 bytes 0
log prefix "New DOMAIN connection: " accept
                counter packets 0 bytes 0 log prefix "Dropped
connection: " drop
        }
}

these are the only two packets that get logged upon trying to connect to
port 80
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
SRC=2001:41d0:0008:d609:0000:0000:0000:0001
DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0

the network interfaces are br0 the destination for DNAT is a LXC using veth.

What am I doing wrong/ overlooking?

Thank you very much for your time.

Palica

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: nftables DNAT not working
  2015-10-21 10:33 nftables DNAT not working palica
@ 2015-10-21 22:01 ` palica
  0 siblings, 0 replies; 3+ messages in thread
From: palica @ 2015-10-21 22:01 UTC (permalink / raw)
  To: netfilter

ok,

just for the reference this works with iptables:

# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*raw
:PREROUTING ACCEPT [3275:234388]
:OUTPUT ACCEPT [2229:414696]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*nat
:PREROUTING ACCEPT [289:10144]
:INPUT ACCEPT [289:10144]
:OUTPUT ACCEPT [2:152]
:POSTROUTING ACCEPT [11:644]
:LXC - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j LXC
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j LXC
-A POSTROUTING -s 10.0.3.0/24 ! -o lxcbr0 -j MASQUERADE
-A POSTROUTING -s 10.0.3.40/32 -d 10.0.3.40/32 -p tcp -m tcp --dport 80
-j MASQUERADE
-A LXC ! -i lxcbr0 -p tcp -m tcp --dport 80 -j DNAT --to-destination
10.0.3.40:80
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*mangle
:PREROUTING ACCEPT [3275:234388]
:INPUT ACCEPT [3151:212528]
:FORWARD ACCEPT [104:20660]
:OUTPUT ACCEPT [2229:414696]
:POSTROUTING ACCEPT [2333:435356]
COMMIT
# Completed on Wed Oct 21 23:54:14 2015
# Generated by iptables-save v1.4.21 on Wed Oct 21 23:54:14 2015
*filter
:INPUT ACCEPT [291:10240]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2229:414696]
:LXC - [0:0]
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j
ssh_whitelist
-A INPUT -i eth0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o lxcbr0 -j LXC
-A FORWARD -o lxcbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lxcbr0 ! -o lxcbr0 -j ACCEPT
-A FORWARD -i lxcbr0 -o lxcbr0 -j ACCEPT
-A LXC -d 10.0.3.40/32 ! -i lxcbr0 -o lxcbr0 -p tcp -m tcp --dport 80 -j
ACCEPT
COMMIT
# Completed on Wed Oct 21 23:54:14 2015

I have created a lxcbr0 bridge with 10.0.3.1/24 and veth (slave of
lxcbr0) for the LXC has 10.0.3.40/24, the Internet-facing interface was
changed to eth0.

i will try to convert these iptables to nftables tomorrow.

palica


On 10/21/2015 12:33 PM, palica wrote:
> hello list,
>
> please help me debug this.
>
> I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
>
> table ip filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 ct state established,related counter packets 303 bytes
> 18088 accept
>                 ct state invalid counter packets 4 bytes 292 log prefix
> "Invalid traffic: " drop
>                 iif lo counter packets 0 bytes 0 accept
>                 ip protocol icmp accept
>                 tcp dport ssh ct state new counter packets 5 bytes 212
> log prefix "New SSH connection: " accept
>                 tcp dport { http, https} ct state new counter packets 7
> bytes 352 log prefix "New HTTP/S connection: " accept
>                 counter packets 30 bytes 1497 log prefix "Dropped
> traffic: " drop
>         }
>
>         chain forward {
>                 type filter hook forward priority 0; policy accept;
>                 ct state new counter packets 0 bytes 0 log prefix
> "FORWARD CHAIN: " accept
>         }
>
>         chain output {
>                 type filter hook output priority 0; policy accept;
>                 ct state new counter packets 33 bytes 2476 log prefix
> "OUTPUT CHAIN: "
>         }
> }
> table ip nat {
>         chain prerouting {
>                 type nat hook prerouting priority 0; policy accept;
>                 tcp dport { http, https} counter packets 0 bytes 0 log
> prefix "DNAT :" dnat 10.0.3.40
>                 log prefix "DNAT prerouting: "
>         }
>
>         chain postrouting {
>                 type nat hook postrouting priority 0; policy accept;
>                 ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
> snat 37.187.110.20
>                 log prefix "SNAT postrouting: "
>         }
> }
> table ip6 filter {
>         chain input {
>                 type filter hook input priority 0; policy accept;
>                 iif lo counter packets 0 bytes 0 accept
>                 ct state established,related counter packets 8 bytes 768
> accept
>                 ct state invalid counter packets 0 bytes 0 log prefix
> "Invalid traffic: " drop
>                 icmpv6 type { nd-router-advert, nd-neighbor-advert,
> echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
>                 tcp dport ssh ct state new counter packets 0 bytes 0 log
> prefix "New SSH connection: " accept
>                 tcp dport { https, http} ct state new counter packets 2
> bytes 160 log prefix "New HTTP/S connection: " accept
>                 udp dport domain ct state new counter packets 0 bytes 0
> log prefix "New DOMAIN connection: " accept
>                 counter packets 0 bytes 0 log prefix "Dropped
> connection: " drop
>         }
> }
>
> these are the only two packets that get logged upon trying to connect to
> port 80
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
> SRC=2001:41d0:0008:d609:0000:0000:0000:0001
> DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
> FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
> Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
> MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
> DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
> SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
>
> the network interfaces are br0 the destination for DNAT is a LXC using veth.
>
> What am I doing wrong/ overlooking?
>
> Thank you very much for your time.
>
> Palica
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


^ permalink raw reply	[flat|nested] 3+ messages in thread
* nftables dnat not working
@ 2014-08-05  8:14 Matteo Croce
  0 siblings, 0 replies; 3+ messages in thread
From: Matteo Croce @ 2014-08-05  8:14 UTC (permalink / raw)
  To: Netfilter Users Mailing list

Hi,

I'm using nftables on a vanilla 3.16 kernel and nft 0.3.
I want to do port forwarding for TCP port 51413 to host 192.168.0.20 and
I've configured my firewall like this:


table ip nat {
        chain post {
                 type nat hook postrouting priority 0;
                 ip saddr 192.168.0.0/24 oif eth0 snat 192.168.1.2
        }

        chain pre {
                 type nat hook prerouting priority 0;
                 iif eth0 tcp dport 51413 dnat 192.168.0.20
        }
}


no filter chain at all.
from the router I can find the port open:

HPING 192.168.0.20 (br0 192.168.0.20): S set, 40 headers + 0 data bytes
len=44 ip=192.168.0.20 ttl=64 DF id=0 sport=51413 flags=SA seq=0
len=44 ip=192.168.0.20 ttl=64 DF id=0 sport=51413 flags=SA seq=1

from the outside is closed:

HPING 188.218.168.147 (eth0 188.218.168.147): S set, 40 headers + 0 data bytes
len=46 ip=188.218.168.147 ttl=51 DF id=39456 sport=51413 flags=RA seq=0
len=46 ip=188.218.168.147 ttl=51 DF id=39467 sport=51413 flags=RA seq=1

if I sniff in the LAN nothing gets forwarded

Cheers,
-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-10-21 22:01 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-10-21 10:33 nftables DNAT not working palica
2015-10-21 22:01 ` palica
  -- strict thread matches above, loose matches on Subject: below --
2014-08-05  8:14 nftables dnat " Matteo Croce

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.