Iptables-translate to nftables

DanSman · September 23, 2022, 11:46pm

Heyho

I recently upgraded to the latest openwrt version and nftables.
I had some iptables rules in /etc/firewall.users that stopped working after the update, so I used iptables-translate to use the same rules for nftables, but I am having some problems and I am just figuring out what the problem might be.

Basically, I want to achieve that every connection must use the local DNS server.

iptables:

iptables -t nat -A PREROUTING -i br-GUEST -p udp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i br-GUEST -p tcp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i br-lan.1 -p udp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i br-lan.1 -p tcp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i br-lan.2 -p udp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i br-lan.2 -p tcp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i wg0 -p udp --dport 53 -j DNAT --to 192.168.50.1:5353
iptables -t nat -A PREROUTING -i wg0 -p tcp --dport 53 -j DNAT --to 192.168.50.1:5353

nftables:

nft add rule ip nat PREROUTING iifname "br-GUEST" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-GUEST" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.1" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.1" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.2" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "br-lan.2" tcp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "wg0" udp dport 53 counter dnat to 192.168.50.1:5353
nft add rule ip nat PREROUTING iifname "wg0" tcp dport 53 counter dnat to 192.168.50.1:5353

or just:

nft add rule nat pre udp dport 53 ip saddr 192.168.50.0/24 dnat 192.168.50.1:5353
nft add rule nat pre tcp dport 53 ip saddr 192.168.50.0/24 dnat 192.168.50.1:5353

The problem I face is this:

Error: Could not process rule: No such file or directory
add rule ip nat PREROUTING iifname br-GUEST udp dport 53 counter dnat to 192.168.50.1:5353
            ^^^

What should I use instead?

dave14305 · September 23, 2022, 11:59pm

Usually you can do the same with a firewall rule:

config redirect
        option target 'DNAT'
        option name 'DNS Intercept'
        option src 'lan'
        option src_dport '53'
        option dest_port '5353'

Results in:

chain dstnat_lan {
    meta nfproto ipv4 tcp dport 53 counter packets 0 bytes 0 redirect to :5353 comment "!fw4: DNS Intercept"
    meta nfproto ipv4 udp dport 53 counter packets 7 bytes 509 redirect to :5353 comment "!fw4: DNS Intercept"
 }

DanSman · September 24, 2022, 8:13pm

Thanks!

Do you know where the error is? Why it does not work?

Error: Could not process rule: No such file or directory
add rule ip nat PREROUTING iifname br-GUEST udp dport 53 counter dnat to 192.168.50.1:5353
            ^^^

Is it possible with your solution to add multiple option src? like:

config redirect
        option target 'DNAT'
        option name 'DNS Intercept'
        option src 'br-GUEST br-lan.1 wg0'
        option src_dport '53'
        option dest_port '5353'

or

config redirect
        option target 'DNAT'
        option name 'DNS Intercept'
        option src 'br-GUEST'
        option src 'br-lan.1'
        option src 'wg0'
        option src_dport '53'
        option dest_port '5353'

or should I use for every interface one block?

dave14305 · September 25, 2022, 12:23am

The nft structure is inet fw4 instead of ip nat. Predefined chains in firewall4 do not include PREROUTING.

What firewall zone are the other interfaces belonging to?

Run nft list ruleset to see what the new structure looks like.

DanSman · September 25, 2022, 7:53am

br-lan.1 is for 192.168.50.1 (zone proxmox) and br-lan.2 192.168.1.1 (zone lan). wg0 (zone wireguard) and br-guest isn't enabled anyway. So I just created zones to keep them separate. Especially wifi access for guests which I don't have ;D. Nah, they use mostly the phone anyway and I turned the wifi ap off.

So actually I just wanna make sure that every device is using the dns server, actually adguardhome ("upstream DNS servers" to dnscrypt).
I used to use the firewall box in the GUI which is gone since the latest update/version but I read in the docs that /etc/firewall.user is still usable. I have also DNS forwardings set under DHCP and DNS which should do the trick anyway but this was always a 100% solution and I try to understand nftables atm in general to move on also for other servers with nftables and/or firewalld running.

dave14305 · September 25, 2022, 12:54pm

You have several options to choose from.

Duplicate the entire redirect rule for each zone. Let firewall4 create the nftables rules.
Add the translated nft statements using nft add rule inet fw4 dstnat instead of ip nat PREROUTING.
Use a firewall4 include file at /usr/share/nftables.d/chain-pre/dstnat/ that contains valid nftables syntax (not nft add statements). See the README in the nftables.d directory.

And there are probably more options that I’m not familiar with since I don’t use multiple LAN zones on my router.

DanSman · September 25, 2022, 10:13pm

Thank you for your help!
I've decided to go with option 1.

system · October 5, 2022, 10:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.