* Problems getting started with dnat and port forwarding
@ 2023-11-12 17:31 Rubén Méndez Hernández
2023-11-13 2:36 ` Kerin Millar
0 siblings, 1 reply; 2+ messages in thread
From: Rubén Méndez Hernández @ 2023-11-12 17:31 UTC (permalink / raw)
To: netfilter
Dear netfilter team.
I'm starting with nftables and trying to set an ssh port forwarding
from my firewall IP 192.168.1.252 to my dmz IP 10.0.0.2. But I get
this error:
-------
nft -cf nft/test.nft
nft/test.nft:30:62-65: Error: ip or ip6 must be specified with address
for inet tables.
add rule inet nat prerouting iifname $int_ext tcp dport 2222 dnat to 10.0.0.2:22
^^^^
-------
I let you a piece of my nftables script.
-------
table inet nat {
chain prerouting { type nat hook prerouting priority -400; policy accept; }
chain postrouting { type nat hook postrouting priority srcnat;
policy accept; }
}
#--------------PREROUTING-----------------
add rule inet nat prerouting iifname $int_ext tcp dport 2222 dnat to 10.0.0.2:22
#--------------FORWARD----------------- #
add rule inet filter FORWARD iifname $int_ext oifname $int_dmz ip
daddr 10.0.0.2/24 tcp dport 22 accept
add rule inet filter FORWARD iifname $int_dmz oifname $int_ext ip
saddr 10.0.0.2/24 tcp sport 22 accept
-------
Thank you for your time.
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Problems getting started with dnat and port forwarding
2023-11-12 17:31 Problems getting started with dnat and port forwarding Rubén Méndez Hernández
@ 2023-11-13 2:36 ` Kerin Millar
0 siblings, 0 replies; 2+ messages in thread
From: Kerin Millar @ 2023-11-13 2:36 UTC (permalink / raw)
To: Rubén Méndez Hernández; +Cc: netfilter
On Sun, 12 Nov 2023 18:31:58 +0100
Rubén Méndez Hernández <rmendezh@ies-sabadell.cat> wrote:
> Dear netfilter team.
> I'm starting with nftables and trying to set an ssh port forwarding
> from my firewall IP 192.168.1.252 to my dmz IP 10.0.0.2. But I get
> this error:
> -------
> nft -cf nft/test.nft
> nft/test.nft:30:62-65: Error: ip or ip6 must be specified with address
> for inet tables.
> add rule inet nat prerouting iifname $int_ext tcp dport 2222 dnat to 10.0.0.2:22
> ^^^^
The synopsis of the dnat statement is as follows.
dnat [[ip | ip6] [ prefix ] to] ADDR_SPEC [:PORT_SPEC] [FLAGS]
The square brackets indicate components of syntax that are optional, or optional under certain circumstances. The error message indicates that [ip | ip6] is not optional under the circumstance that your rule is expected to reside in an inet table. Therefore, you must specify "ip" immediately after "dnat".
Your nftables version must be out of date because the error message has since been improved.
--
Kerin Millar
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-11-13 2:36 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-12 17:31 Problems getting started with dnat and port forwarding Rubén Méndez Hernández
2023-11-13 2:36 ` Kerin Millar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).