nftables dnat forwarding is not working properly
Solution 1
Thanks to Роман Иванов for useful nft monitor.
NAT doesn't work because i use this rule at the end of filter forward:
iifname wan0 reject
in chain NAT you need rule:
NAT => PREROUTING
nft add rule nat prerouting iifname wan0 tcp dport { 80, 443 } dnat 192.168.0.10
in chain FILTER you need rule:
FILTER => FORWARD
nft add rule filter forward iifname wan0 oifname lan0 ip daddr 192.168.0.10 tcp dport { 80, 443 } accept
Solution 2
Here are some steps you can take:
- Type nat hook prerouting priority 0; <-Should be -100 (minus hundred) according to NF_IP_PRI_NAT_DST netfilter constant
- Use "meta nftrace set 1" in prerouting and "nft monitor" for debug you packet flow
- Simplest ruleset to isolate problem and make example
I also have not working dnat. From one iface all OK but from other not.
Packets enter prerouting, dnat accepted But nothing happens after this. "Conntrac -E" does not see these packages.
Related videos on Youtube
07 : 15
![NFTABLES [PART - 1] : "Concept and Syntax"](https://i.ytimg.com/vi/lHLPZlZLWgs/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLABANVKQNMwM6Zf-AfNbYR1nSJ-Dw)
09 : 30
12 : 21
01 : 57
41 : 42
Admin
Updated on September 18, 2022Comments
-
Admin almost 2 years
Good day,
I am currently migrating from iptables to nftables. The problem is my systemd containers are running behind NAT, but I want to forward ports like 443 or 80 to them. There is no error message when I use the following set of commands, but neither do I get to my web server when I use nftables.
Many thanks in advance.
With best regards, Felix
EDIT.: The problem was solved by the helpful comments. Thank you!
-
Admin over 6 yearsPlease make sure any relevant information is in your question, not linked to an external site. Especially since the external site you linked to is broken.
-