> On Oct 28, 2015, at 16:15, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> You can probably contribute these examples to the wiki. Or I'd be
> happy to get more or less generic scripts as examples that we can
> place in the wiki.
Once I figured out how to do what I want to do, I will definitely put it somewhere where others can find it.
>> Now I’m attempting to add masquerading, and I’m failing:
>>> nft add table nat
>>> nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
>>> nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
>>> nft add rule nat postrouting masquerade
>> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
>> add rule nat postrouting masquerade
>> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>>
>> 1. This is copied straight from the wiki [1]. What am I doing wrong?
>
> The lines above work fine here.
>
> Masquerading was added in 3.18, what kernel version are you using?
I’m on Arch, Linux 4.2.2 or thereabouts.
> Moreover, make sure you also compiled masquerading support for nf_tables:
>
> CONFIG_NFT_MASQ=m
Ahh, that might be it. The Arch build script is here [2] and I don’t see anything that looks like CONFIG_NFT_MASQ. I’ll recompile tomorrow and see where that leads us.
The other thing I’m still missing is where to attach the masquerade keyword. Is it on the incoming or outgoing interface or automagic? E.g. if my box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment), do I need to say something like “iifname enp2s0 masquerade”?
Also, the example has a separate table ‘nat’. Can I just put the nat chain into my inet filter table, or does this have to be a separate table?
Thank you!
Johannes.
[2] https://projects.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/nftables
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
