server behind a nftables NAT

Luke Whittlesey <luke.whittlesey@xxxxxxxxx> · Thu, 12 Sep 2019 19:51:54 -0400

I'm having trouble connecting to a server behind nat using nftables
and am wondering if I am missing something obvious here...

I have three computers, A,R,B, where I want B to be able to access a
server at A by going through R. R has two network interfaces and I
want it to NAT and forward from one interface to the other. I don't
think I can use a bridge because eventually one of the interfaces will
be ppp, so I have to keep the routing at layer 3.

My setup is
A:192.168.2.10/24 <-> R:eth0:192.168.2.9/24 R:eth1:192.168.3.10/24 <->
B:192.168.3.9/24

So, from B I would like to access a private server running on A.

I've taken the example from the wiki[ref0] and adapted it to my setup,
but it doesn't work, so I think I'm misunderstanding something.

Here is the adapted example with tidbits I've found on the web:
````
sudo sysctl -w net.ipv4.ip_forward=1
sudo nft flush ruleset
sudo nft add table nat
sudo nft add chain nat prerouting '{ type nat hook prerouting priority -100; }'
sudo nft add chain nat postrouting '{ type nat hook postrouting priority 100; }'
sudo nft add chain nat output1 '{type nat hook output priority 0;
policy accept; }'
sudo nft add rule nat prerouting meta iif eth1 nftrace set 1 dnat 192.168.2.10

sudo nft monitor trace
````

When I ping 192.168.3.10 from B the trace looks like this:
````
trace id 64afe467 ip nat prerouting packet: iif "eth1" ether saddr
6c:2b:59:51:7d:81 ether daddr 00:e0:4c:20:25:c9 ip saddr 192.168.3.9
ip daddr 192.168.3.10 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 36164
ip length 84 icmp type echo-request icmp code net-unreachable icmp id
17 icmp sequence 1 @th,64,96 20994783627685759202862957568
trace id 64afe467 ip nat prerouting rule iif "eth1" meta nftrace set 1
dnat to 192.168.2.10 (verdict accept)
trace id 64afe467 ip nat postrouting verdict continue
trace id 64afe467 ip nat postrouting policy accept
````

`ip route` gives:
````
192.168.2.0/24 dev eth0 proto dhcp scope link src 192.168.2.9 metric 202
192.168.3.0/24 dev eth1 proto dhcp scope link src 192.168.3.10 metric 203
````

`uname -r` gives `5.2.5-1-ARCH`

Am I missing some forwarding rules? I'm just learning, so maybe it is
obvious to someone.

Thank you.

[ref0] = https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Destination_NAT