Masquerading with selectively open ports -- nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

My box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting to set it up as a router with NAT, and selective port openings: enp2s0 is supposed to have the ssh port open, while enp3s0 also gets to have http, https, dhcp and dns open so I can run Apache and dnsmasq on it for users on the LAN.

Ideally I'm looking for a full example that will work if I execute 'nft -f' with it. (Pretty much all related nftables examples I find seem to leave out crucial bits.)

Here is what I have so far:

table inet filter {
  chain input { # this chain serves as a dispatcher
    type filter hook input priority 0;

    iifname lo accept # always accept loopback
    iifname enp2s0 jump input_enp2s0
    iifname enp3s0 jump input_enp3s0

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
   }
  chain input_enp2s0 {
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    reject with icmp type port-unreachable # all other traffic
  }

  chain input_enp3s0 {
    ct state {established,related} accept
    ct state invalid drop
    udp dport bootpc accept
    tcp dport bootpc accept
    tcp port http accept
    tcp port https accept
    # and a few others
    reject with icmp type port-unreachable # all other traffic
  }

  chain ouput { # for now, we let everything out
    type filter hook output priority 0;
    accept
  }
}

Now I’m attempting to add masquerading, and I’m failing:
> nft add table nat
> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> nft add rule nat postrouting masquerade
<cmdline>:1:1-35: Error: Could not process rule: No such file or directory
add rule nat postrouting masquerade
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

1. This is copied straight from the wiki [1]. What am I doing wrong?

2. Even if this command worked, how do I properly integrate it into the rest of my tables/rules?

I’m on Arch x86_64, nftables 0.5.

Thanks,



Johannes.


[1] http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29




--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux