On Sun, 18 Apr 2021 at 22:23, Frank Myhr <fmyhr@xxxxxxxxxxx> wrote:
>
> Hi Pekka,
>
> Try:
> iifname $wanif tcp dport 12345 dnat 192.168.1.11
>
> or
> iifname $wanif tcp dport {12345} dnat 192.168.1.11
> (but the braces are unnecessary unless you want to add more than one dport)
>
> https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Destination_NAT
Thanks. I managed to fix it just moments ago. I had remnants of
iptables kernel modules which I blacklisted:
# cat /etc/modprobe.d/blacklist.conf
blacklist ip_tables
blacklist iptable_nat
I also upgraded kernel to 5.11.14.
This might have caused the whole line erroring earlier.
I moved NAT related stuff to ip (IPv4) filter instead of inet:
define wanif = wan0
define lanif = lan0
define home_net = 192.168.1.0/24
define home_net_gw = 192.168.1.1
# Port forwards
define port_fwd_ip = 192.168.1.11
define port_fwds_udp = {12345}
define port_fwds_tcp = {54321}
# IPv4 & IPv6
table inet filter {
# ...
chain forward {
type filter hook forward priority filter; policy drop;
ct state invalid drop
# ...
# Port forward WAN -> LAN
iifname $wanif oifname $lanif tcp dport $port_fwds_tcp accept
comment "Accept forwarded TCP"
iifname $wanif oifname $lanif udp dport $port_fwds_udp accept
comment "Accept forwarded UDP"
}
# ...
}
# IPv4
table ip filter {
# NAT
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ct state invalid drop
# TCP SYN (CT NEW)
tcp flags & (fin|syn|rst|ack) != syn ct state {new} drop
# Port forward WAN -> LAN
iifname $wanif tcp dport $port_fwds_tcp dnat to $port_fwd_ip
comment "Port forwards TCP"
iifname $wanif udp dport $port_fwds_udp dnat to $port_fwd_ip
comment "Port forwards UDP"
}
# NAT
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ct state invalid drop
oifname $wanif masquerade persistent comment "MasqNAT"
}
}
--
Pekka Järvinen
