Help Converting IPTables Rules to nftables rules

Hello All, I have read through lots of posts about converting IPTables rules to NFtables rules and I am just stuck, obviously I am a noob trying to do something that I am not able to even being spoon fed lots of good information!

Could someone please help by converting the following IPTables rules to nftables rules:

iptables -t mangle -I PREROUTING -j TTL --ttl-set 65
iptables -t mangle -I POSTROUTING -j TTL --ttl-set 65
ip6tables -t mangle -I PREROUTING -j HL --hl-set 65
ip6tables -t mangle -I POSTROUTING -j HL --hl-set 65

This is for tethering my iphone. I tried SSH into my router (GL-iNet Flint1) latest firmware and cant get the translate command to work (hence my level of knowledge on all this is very low).

Appreciate the help!

Here’s an nftables solution:

1 Like

Wow, how I did not find these searching I don't know, these seem very close if not exactly what I am looking for. Starting to study these posts. Thanks!

1 Like

Hello All,

I wanted to close the loop in this in case others are trying to do the same. In short this involved creating file firewall.user.in directory /etc adding rules and then also adding an include command in the firewall configuration file in /etc/config

If anyone is interested in more details or the specific code please feel free to message me.

Eric

Be my guest, solved here.

I have it

input interface wlan0 (10.0.0.1 ttl=1) output (10.0.0.1 ttl=65)

vim /etc/nftables.d/12-mangle-ttl-65.nft

chain mangle_prerouting_ttl65 {
  type filter hook prerouting priority 300; policy accept;
  iifname "eth0" counter ip ttl set 65
  iifname "eth0" counter ip6 hoplimit set 65
}

chain mangle_postrouting_ttl65 {
  type filter hook postrouting priority 300; policy accept;
  oifname "eth0" counter ip ttl set 65
  oifname "eth0" counter ip6 hoplimit set 65
}

root@Redmi-Note-12:~# fw4 check
Ruleset passes nftables check.

This translates to

iptables -t mangle -A PREROUTING -i eth0 -j TTL --ttl-set 65
iptables -t mangle -A POSTROUTING -o eth0 -j TTL --ttl-set 65

ip6tables -t mangle -A PREROUTING -i eth0 -j HL --hl-set 65
ip6tables -t mangle -A POSTROUTING -o eth0 -j HL --hl-set 65

You can re-use original hook names. And output must be raw_output where output interface is clear if you use eg vpn.