Hello all
I try to setup router with nftables with two WAN providers. I stuck on
start, even not reach conntrack marks rules. The problem is that dnat
worked only on first iface of two. Inbound tcp packets for second iface
reach prerouting chain, verdict accepted dnat rule and nothing happens
later. "Conntrack -E" not show any dnat records for such packets and
they never reach forward chain.
If any man that use nftables with more than one provider? Was there
anything tested except for the simplest configurations. I do not see
that here may be wrong on my side and I suspect an error in the netfilter.
I try in Ubuntu 16.04, 17.10 and now on developer build of 18.04.
INFO:
root@gw:~# uname -a
Linux gw 4.15.0-10-generic #11-Ubuntu SMP Tue Feb 13 18:23:35 UTC 2018
x86_64 x86_64 x86_64 GNU/Linux
root@gw:~# nft -v
nftables v0.8.2 (Joe Btfsplk)
root@gw:~# lsmod | grep nf_
nf_nat_masquerade_ipv4 16384 1 nft_masq_ipv4
nf_conntrack_ipv6 20480 3
nf_defrag_ipv6 36864 1 nf_conntrack_ipv6
nf_conntrack_ipv4 16384 12
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_nat_ipv4 16384 1 nft_chain_nat_ipv4
nf_nat 32768 3 nft_nat,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack 131072 9
nft_ct,nft_nat,nf_conntrack_ipv6,nf_conntrack_ipv4,nft_masq,nf_nat_masquerade_ipv4,nft_masq_ipv4,nf_nat_ipv4,nf_nat
nf_tables_inet 16384 4
nf_tables_ipv6 16384 1 nf_tables_inet
nf_tables_ipv4 16384 2 nf_tables_inet
nf_tables 90112 149
nft_ct,nft_nat,nft_set_bitmap,nft_chain_nat_ipv4,nft_set_hash,nf_tables_ipv6,nf_tables_ipv4,nft_masq,nft_meta,nft_set_rbtree,nft_masq_ipv4,nft_counter,nf_tables_inet
nfnetlink 16384 1 nf_tables
libcrc32c 16384 3 nf_conntrack,raid456,nf_nat
root@gw:~# lsmod | grep ip_
root@gw:~# lsmod | grep iptables
root@gw:~# ip route
default via 95.165.128.1 dev mgts proto static onlink
77.37.162.0/23 dev onlime proto kernel scope link src [IP-ONLIME]
95.165.128.0/19 dev mgts proto kernel scope link src [IP-MGTS]
192.168.156.0/24 dev br0 proto kernel scope link src 192.168.156.1
root@gw:~# ip route show table onlime
default via 77.37.162.1 dev onlime proto dhcp src [IP-ONLIME] metric 1024
77.37.162.1 dev onlime proto dhcp scope link src [IP-ONLIME] metric 1024
root@gw:~# ip route show table mgts
default via 95.165.128.1 dev mgts proto dhcp src [IP-MGTS] metric 1024
95.165.128.1 dev mgts proto dhcp scope link src [IP-MGTS] metric 1024
TRACE, FIRST IFACE WORKED
root@gw:~# nft monitor
trace id 25fef06a ip nat prerouting packet: iif "mgts" ether saddr
02:05:00:5c:50:00 ether daddr 66:2c:7c:f6:d5:77 ip saddr 88.198.46.51 ip
daddr [IP-MGTS] ip dscp cs1 ip ecn not-ect ip ttl 58 ip id 51445 ip
length 60 tcp sport 38146 tcp dport 4020 tcp flags == syn tcp window 7300
trace id 25fef06a ip nat prerouting rule iifname { } tcp dport 4020
nftrace set 1 (verdict continue)
trace id 25fef06a ip nat prerouting rule iifname { } tcp dport 4020
counter packets 0 bytes 0 dnat to 192.168.156.4 comment "NAT storj:4020"
(verdict accept)
trace id 25fef06a inet main forward packet: iif "mgts" oif "br0" ether
saddr 02:05:00:5c:50:00 ether daddr 66:2c:7c:f6:d5:77 ip saddr
88.198.46.51 ip daddr 192.168.156.4 ip dscp cs1 ip ecn not-ect ip ttl 57
ip id 51445 ip length 60 tcp sport 38146 tcp dport 4020 tcp flags == syn
tcp window 7300
trace id 25fef06a inet main forward rule iif { } tcp dport 4020 counter
packets 0 bytes 0 accept comment "FWD storj:4020" (verdict accept)
trace id 25fef06a ip nat postrouting verdict continue
trace id 25fef06a ip nat postrouting
TRACE, SECOND IFACE DNAT NOT WORKED
root@gw:~# nft monitor
trace id 0b5ce3cc ip nat prerouting packet: iif "onlime" ether saddr
00:16:4d:7e:e0:9d ether daddr 00:02:44:1a:3e:a9 ip saddr 88.198.46.51 ip
daddr [IP-ONLIME] ip dscp cs0 ip ecn not-ect ip ttl 55 ip id 27241 ip
length 60 tcp sport 47732 tcp dport 4020 tcp flags == syn tcp window 7300
trace id 0b5ce3cc ip nat prerouting rule iifname { } tcp dport 4020
nftrace set 1 (verdict continue)
trace id 0b5ce3cc ip nat prerouting rule iifname { } tcp dport 4020
counter packets 0 bytes 0 dnat to 192.168.156.4 comment "NAT storj:4020"
(verdict accept)
trace id 20238a07 ip nat prerouting packet: iif "onlime" ether saddr
00:16:4d:7e:e0:9d ether daddr 00:02:44:1a:3e:a9 ip saddr 88.198.46.51 ip
daddr [IP-ONLIME] ip dscp cs0 ip ecn not-ect ip ttl 55 ip id 27242 ip
length 60 tcp sport 47732 tcp dport 4020 tcp flags == syn tcp window 7300
trace id 20238a07 ip nat prerouting rule iifname { } tcp dport 4020
nftrace set 1 (verdict continue)
trace id 20238a07 ip nat prerouting rule iifname { } tcp dport 4020
counter packets 0 bytes 0 dnat to 192.168.156.4 comment "NAT storj:4020"
(verdict accept)
RULESET:
root@gw:~# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iifname { "mgts", "onlime" } tcp dport 4001-4002
counter packets 52 bytes 3012 dnat to 192.168.156.4 comment "NAT storj1"
iifname { "mgts", "onlime" } tcp dport 4003-4019
counter packets 1043 bytes 60148 dnat to 192.168.156.10 comment "NAT storj2"
iifname { "mgts", "onlime" } tcp dport 4020 nftrace set 1
iifname { "mgts", "onlime" } tcp dport 4020 counter
packets 3 bytes 180 dnat to 192.168.156.4 comment "NAT storj:4020"
iifname { "mgts", "onlime" } udp dport 5100-5199 dnat
to 192.168.156.9
iifname { "mgts", "onlime" } tcp dport 9001-9999 dnat
to 192.168.156.4
iifname { "mgts", "onlime" } udp dport 9001-9999 dnat
to 192.168.156.4
iifname { "mgts", "onlime" } tcp dport { ftp, http,
https, snpp } dnat to 192.168.156.3
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname { "mgts", "onlime" } masquerade
}
}
table inet main {
chain input {
type filter hook input priority 0; policy drop;
iif { "lo", "br0" } accept
icmp type destination-unreachable icmp code 4 counter
packets 0 bytes 0 accept
icmp type { destination-unreachable, echo-request,
time-exceeded, parameter-problem } counter packets 0 bytes 0 accept
icmpv6 type { destination-unreachable, packet-too-big,
time-exceeded, echo-request, nd-router-advert, nd-neighbor-solicit,
nd-neighbor-advert } counter packets 4 bytes 288 accept
tcp dport domain counter packets 0 bytes 0 accept
udp dport domain counter packets 0 bytes 0 accept
ct state established,related counter packets 864 bytes
105377 accept
tcp dport ssh ct state new counter packets 33 bytes
1980 accept
counter packets 387 bytes 34792 drop
}
chain forward {
type filter hook forward priority 0; policy drop;
iif { "lo", "br0" } accept
iif { "onlime", "mgts" } ip daddr 192.168.156.3 tcp
dport { http, https, snpp } counter packets 0 bytes 0 accept
iif { "onlime", "mgts" } tcp dport 4020 counter packets
1 bytes 60 accept comment "FWD storj:4020"
iif { "onlime", "mgts" } tcp dport 4000-4019 counter
packets 55755 bytes 3714207 accept comment "FWD storj"
iif { "onlime", "mgts" } ip daddr 192.168.156.9 udp
dport 5100-5199 counter packets 0 bytes 0 accept
iif { "onlime", "mgts" } ip daddr 192.168.156.4 tcp
dport 9001-9999 counter packets 0 bytes 0 accept
iif { "onlime", "mgts" } ip daddr 192.168.156.4 udp
dport 9001-9999 counter packets 535 bytes 66581 accept
ct state established,related counter packets 86215
bytes 200674623 accept
}
chain output {
type filter hook output priority 0; policy accept;
counter packets 2174 bytes 254711 accept
}
}
Krey@xxxxxxxxxx
Best reggards. I am hope for any help
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
