Hi Folks, I need a simple IP-Forwarding. As I am used to iptables, I am not experienced with nftables.
- Regarding to this post I should add custom rules in /etc/nftables.d which makes sense if I check "10-custom-filter-chains.nft" file inside the folder.
- But according to the wiki I should add the rule in /etc/nftables.conf
- Other examples are with terminal nftable commands.
Which one is it (if it should still be active after reboot)?
I want a simple IP forwarding like
iptables -t nat -A PREROUTING -p udp -d 1.2.3.4 -j DNAT --to-destination 192.168.0.100
iptables -t nat -A POSTROUTING -j MASQUERADE
According to the wiki and google it would need something like this in /etc/nftables.conf
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
masquerade
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
ip daddr 1.2.3.4 udp dnat to 192.168.0.100
}
}
If I supposed to change nftables.d, I struggle with the syntax. I can't find any prerouting postrouting syntax example for nftables.d. Not in the 10-custom-filter-chains.nft, not on google and I am afraid to make my device unreachable if I add something wrong. Is it chain user_post_routing with an underline like chain user_post_input ?
Can someone with experienced enlighten me?
What you want can be done using uci.
Better SNAT the traffic destined for 192.168.0.100 instead of masquerading everything.
If you insist on custom rules, you can insert them into the predefined dstnat and srcnat chains using includes.
1 Like
I am still not sure if I got it right. Could you please ceck my solutions shortly?
I need every request in my LAN/WIFI from every device to 1.2.3.4 to be forwarded to 192.168.0.100
uci add firewall rule
uci set firewall.@rule[-1].name='Reject VPN to LAN traffic'
uci set firewall.@rule[-1].src='dmz'
uci set firewall.@rule[-1].src_dip='1.2.3.4'
uci set firewall.@rule[-1].dest_ip='192.168.0.100'
uci set firewall.@rule[-1].dest='lan'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].target='SNAT'
uci commit firewall
service firewall restart
Did I got it right?
I assume the router IP address on the relevant interface is 192.168.0.1.
Correct it if I'm wrong.
uci add firewall redirect
uci set firewall.@redirect[-1].name='DNAT-to-100'
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].dest='*'
uci set firewall.@redirect[-1].src_dip='1.2.3.4'
uci set firewall.@redirect[-1].dest_ip='192.168.0.100'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].proto='all'
uci set firewall.@redirect[-1].reflection='0'
uci add firewall nat
uci set firewall.@nat[-1].name='SNAT-to-100'
uci set firewall.@nat[-1].src='lan'
uci set firewall.@nat[-1].target='SNAT'
uci set firewall.@nat[-1].snat_ip='192.168.0.1' # The correct router IP addr here
uci set firewall.@nat[-1].dest_ip='192.168.0.100'
uci set firewall.@nat[-1].proto='all'
I see you have several zones.
If it doesn't work as expected, try these more general rules:
nft insert rule inet fw4 dstnat ip daddr 1.2.3.4 counter dnat ip to 192.168.0.100
nft insert rule inet fw4 srcnat ip daddr 192.168.0.100 counter snat ip to 192.168.0.1 # <- the router IP
1 Like
I just have two zones: LAN and WAN
If you think that becaue of my DMZ example, I just edited one example from the internet and forgot to change the name. And therefore was DMZ wrong. Sorry.
Thank you so much, your effort safed me so much time. But it even works without the @nat part. This was already enough:
uci add firewall redirect
uci set firewall.@redirect[-1].name='Redirect requests to 1.2.3.4 '
uci set firewall.@redirect[-1].src='lan'
uci set firewall.@redirect[-1].dest='*'
uci set firewall.@redirect[-1].src_dip='1.2.3.4'
uci set firewall.@redirect[-1].dest_ip='192.168.0.100'
uci set firewall.@redirect[-1].target='DNAT'
uci set firewall.@redirect[-1].proto='all'
uci set firewall.@redirect[-1].reflection='0'
uci commit firewall
service firewall restart
1 Like