nftables dnat forwarding is not working properly
Solution 1
Thanks to Роман Иванов for useful nft monitor
.
NAT doesn't work because i use this rule at the end of filter forward:
iifname wan0 reject
in chain NAT you need rule:
NAT => PREROUTING
nft add rule nat prerouting iifname wan0 tcp dport { 80, 443 } dnat 192.168.0.10
in chain FILTER you need rule:
FILTER => FORWARD
nft add rule filter forward iifname wan0 oifname lan0 ip daddr 192.168.0.10 tcp dport { 80, 443 } accept
Solution 2
Here are some steps you can take:
- Type nat hook prerouting priority 0; <-Should be -100 (minus hundred) according to NF_IP_PRI_NAT_DST netfilter constant
- Use "meta nftrace set 1" in prerouting and "nft monitor" for debug you packet flow
- Simplest ruleset to isolate problem and make example
I also have not working dnat. From one iface all OK but from other not.
Packets enter prerouting, dnat accepted But nothing happens after this. "Conntrac -E" does not see these packages.
Related videos on Youtube
![Admin](/assets/logo_square_200-5d0d61d6853298bd2a4fe063103715b4daf2819fc21225efa21dfb93e61952ea.png)
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
Good day,
I am currently migrating from iptables to nftables. The problem is my systemd containers are running behind NAT, but I want to forward ports like 443 or 80 to them. There is no error message when I use the following set of commands, but neither do I get to my web server when I use nftables.
Many thanks in advance.
With best regards, Felix
EDIT.: The problem was solved by the helpful comments. Thank you!
-
Admin over 6 yearsPlease make sure any relevant information is in your question, not linked to an external site. Especially since the external site you linked to is broken.
-