All of lore.kernel.org
 help / color / mirror / Atom feed
* nftables NAT
@ 2014-08-03 10:35 Matteo Croce
  2014-08-04  4:24 ` Vigneswaran R
  0 siblings, 1 reply; 5+ messages in thread
From: Matteo Croce @ 2014-08-03 10:35 UTC (permalink / raw)
  To: netfilter

Hi,

I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
with address 192.168.20.1 and a the LAN is eth0 with address
192.168.1.7, ip forwarding is enabled:

[~]# ifconfig eth0
eth0      Link encap:Ethernet  HWaddr 00:0d:b9:34:2b:e8
          inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:353 errors:0 dropped:0 overruns:0 frame:0
          TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:39409 (38.4 KiB)  TX bytes:39077 (38.1 KiB)

[~]# ifconfig wlan0
wlan0     Link encap:Ethernet  HWaddr 04:f0:21:0c:a3:7d
          inet addr:192.168.20.1  Bcast:192.168.20.255  Mask:255.255.255.0
          inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1612  Metric:1
          RX packets:475 errors:0 dropped:0 overruns:0 frame:0
          TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:48202 (47.0 KiB)  TX bytes:41345 (40.3 KiB)

[~]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0
[~]# cat /proc/sys/net/ipv4/ip_forward
1

I've setup nftables like this:

[~]# nft -n list table nat
table ip nat {
        chain postrouting {
                 type nat hook postrouting priority 0;
                 ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
        }
}

It correctly forwards the packet with the new address, but doesn't
send the replies back:

[~]# tcpdump -pni wlan0 icmp
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
[~]# tcpdump -pni eth0 icmp
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64

I can't see any problem in the configuration, any hint?
Cheers,
-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: nftables NAT
  2014-08-03 10:35 nftables NAT Matteo Croce
@ 2014-08-04  4:24 ` Vigneswaran R
  2014-08-04  8:46   ` Matteo Croce
  0 siblings, 1 reply; 5+ messages in thread
From: Vigneswaran R @ 2014-08-04  4:24 UTC (permalink / raw)
  To: Matteo Croce; +Cc: netfilter

On 08/03/2014 04:05 PM, Matteo Croce wrote:
> Hi,
>
> I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
> with address 192.168.20.1 and a the LAN is eth0 with address
> 192.168.1.7, ip forwarding is enabled:
>
> [~]# ifconfig eth0
> eth0      Link encap:Ethernet  HWaddr 00:0d:b9:34:2b:e8
>            inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
>            inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:353 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:39409 (38.4 KiB)  TX bytes:39077 (38.1 KiB)
>
> [~]# ifconfig wlan0
> wlan0     Link encap:Ethernet  HWaddr 04:f0:21:0c:a3:7d
>            inet addr:192.168.20.1  Bcast:192.168.20.255  Mask:255.255.255.0
>            inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1612  Metric:1
>            RX packets:475 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:48202 (47.0 KiB)  TX bytes:41345 (40.3 KiB)
>
> [~]# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0
> [~]# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> I've setup nftables like this:
>
> [~]# nft -n list table nat
> table ip nat {
>          chain postrouting {
>                   type nat hook postrouting priority 0;
>                   ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
>          }
> }
>
> It correctly forwards the packet with the new address, but doesn't
> send the replies back:
>
> [~]# tcpdump -pni wlan0 icmp
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
> [~]# tcpdump -pni eth0 icmp
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64
>
> I can't see any problem in the configuration, any hint?

Just a thought.. Are you accepting packets in the FORWARD chain in both 
directions (eth0 -> wlan0, wlan0 -> eth0)?

Vignesh

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: nftables NAT
  2014-08-04  4:24 ` Vigneswaran R
@ 2014-08-04  8:46   ` Matteo Croce
  2014-08-04  8:51     ` Arturo Borrero Gonzalez
  0 siblings, 1 reply; 5+ messages in thread
From: Matteo Croce @ 2014-08-04  8:46 UTC (permalink / raw)
  To: Vigneswaran R; +Cc: netfilter

It started working after loading the module iptable_nat
Does nftables rely on iptables?

2014-08-04 6:24 GMT+02:00 Vigneswaran R <vignesh@atc.tcs.com>:
> On 08/03/2014 04:05 PM, Matteo Croce wrote:
>>
>> Hi,
>>
>> I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
>> with address 192.168.20.1 and a the LAN is eth0 with address
>> 192.168.1.7, ip forwarding is enabled:
>>
>> [~]# ifconfig eth0
>> eth0      Link encap:Ethernet  HWaddr 00:0d:b9:34:2b:e8
>>            inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
>>            inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>>            RX packets:353 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:39409 (38.4 KiB)  TX bytes:39077 (38.1 KiB)
>>
>> [~]# ifconfig wlan0
>> wlan0     Link encap:Ethernet  HWaddr 04:f0:21:0c:a3:7d
>>            inet addr:192.168.20.1  Bcast:192.168.20.255
>> Mask:255.255.255.0
>>            inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
>>            UP BROADCAST RUNNING MULTICAST  MTU:1612  Metric:1
>>            RX packets:475 errors:0 dropped:0 overruns:0 frame:0
>>            TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
>>            collisions:0 txqueuelen:1000
>>            RX bytes:48202 (47.0 KiB)  TX bytes:41345 (40.3 KiB)
>>
>> [~]# route -n
>> Kernel IP routing table
>> Destination     Gateway         Genmask         Flags Metric Ref    Use
>> Iface
>> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
>> eth0
>> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
>> eth0
>> 192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0
>> wlan0
>> [~]# cat /proc/sys/net/ipv4/ip_forward
>> 1
>>
>> I've setup nftables like this:
>>
>> [~]# nft -n list table nat
>> table ip nat {
>>          chain postrouting {
>>                   type nat hook postrouting priority 0;
>>                   ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
>>          }
>> }
>>
>> It correctly forwards the packet with the new address, but doesn't
>> send the replies back:
>>
>> [~]# tcpdump -pni wlan0 icmp
>> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
>> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
>> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
>> [~]# tcpdump -pni eth0 icmp
>> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
>> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
>> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
>> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
>> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
>> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64
>>
>> I can't see any problem in the configuration, any hint?
>
>
> Just a thought.. Are you accepting packets in the FORWARD chain in both
> directions (eth0 -> wlan0, wlan0 -> eth0)?
>
> Vignesh



-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: nftables NAT
  2014-08-04  8:46   ` Matteo Croce
@ 2014-08-04  8:51     ` Arturo Borrero Gonzalez
  2014-08-04  9:00       ` Matteo Croce
  0 siblings, 1 reply; 5+ messages in thread
From: Arturo Borrero Gonzalez @ 2014-08-04  8:51 UTC (permalink / raw)
  To: Matteo Croce; +Cc: Vigneswaran R, Netfilter Users Mailing list

On 4 August 2014 10:46, Matteo Croce <technoboy85@gmail.com> wrote:
> It started working after loading the module iptable_nat
> Does nftables rely on iptables?
>

I guess it should not.

Please provide detailed info about your system: kernel, nft, libnftnl, etc..

regards.

-- 
Arturo Borrero Gonz√°lez

^ permalink raw reply	[flat|nested] 5+ messages in thread
* Re: nftables NAT
  2014-08-04  8:51     ` Arturo Borrero Gonzalez
@ 2014-08-04  9:00       ` Matteo Croce
  0 siblings, 0 replies; 5+ messages in thread
From: Matteo Croce @ 2014-08-04  9:00 UTC (permalink / raw)
  To: Arturo Borrero Gonzalez; +Cc: Vigneswaran R, Netfilter Users Mailing list

# uname -a
Linux apu 3.16.0-apu #2 SMP Mon Aug 4 01:43:03 CEST 2014 x86_64 GNU/Linux
# nft -v
nftables v0.3 (Support Edward Snowden)

libnftnl0 1.0.2-1 (Debian package)

2014-08-04 10:51 GMT+02:00 Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com>:
> On 4 August 2014 10:46, Matteo Croce <technoboy85@gmail.com> wrote:
>> It started working after loading the module iptable_nat
>> Does nftables rely on iptables?
>>
>
> I guess it should not.
>
> Please provide detailed info about your system: kernel, nft, libnftnl, etc..
>
> regards.
>
> --
> Arturo Borrero Gonz√°lez



-- 
Matteo Croce
OpenWrt Developer

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-08-04  9:00 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-08-03 10:35 nftables NAT Matteo Croce
2014-08-04  4:24 ` Vigneswaran R
2014-08-04  8:46   ` Matteo Croce
2014-08-04  8:51     ` Arturo Borrero Gonzalez
2014-08-04  9:00       ` Matteo Croce

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.