On Wed, Mar 13, 2019 at 09:43:39AM +0100, Pablo Neira Ayuso wrote: > On Mon, Mar 11, 2019 at 09:44:03PM -0700, Paul Fontenot wrote: > > Hello, > > > > I am trying to set up a test environment with nftables and I'm stuck. I have > > included the iptables equivalent to what I'm trying to do in the hopes > > someone can point me in the right direction. > > > > Here is the iptables rule I'm trying to recreate in nftables: > > > > iptables -A PREROUTING -i eth0 -s 138.68.14.134 -p tcp -m tcp --dport\ 15150 > > -j DNAT --to-destination 192.168.0.2:15150 > > For direct rule translations, you can use iptables-translate: > > # iptables-translate -A PREROUTING -i eth0 -s 138.68.14.134 -p tcp -m tcp --dport 15150 -j DNAT --to-destination 192.168.0.2:15150 > nft add rule ip filter PREROUTING iifname "eth0" ip saddr > 138.68.14.134 tcp dport 15150 counter dnat to 192.168.0.2:15150 > > There's also: > > # iptables-restore-translate -f myruleset > > that takes the input file in iptables-restore format. You can refine these (perfectly correct) initial translations by substituting "iif" for "iifname" (also "oif" for "oifname") for *permanent* network interfaces such as "eth0". The speedup is: iifname will do a string compare of interface name every time the rule is obeyed, while iif compares the interface index (a number). iif & oif are only available for permanent interfaces (e.g. eth0 but not ppp0, tun0 &c.). iif in a rule is clever enough to translate a supplied interface name to its index, or you can supply the index numerically. Cheers ... Duncan.
