Need help to convert nftable commands to nft table rules

mdhasankhan5512 · March 13, 2025, 11:00am

can someone please convert this commands to nft table rules so i can put it in .nft files in /etc/nfttable.d directory

  nft add chain inet fw4 nat_prerouting { type nat hook prerouting priority -110 \; }

    # Add DNS redirection rules
    nft add rule inet fw4 nat_prerouting udp dport 53 redirect to 5333
    nft add rule inet fw4 nat_prerouting tcp dport 53 redirect to 5333

    # Add rules to the 'prerouting' chain with exclusions
    nft insert rule inet fw4 prerouting ip saddr {10.10.10.0/24} ip saddr != {10.10.10.100, 10.10.10.200, 10.10.10.120, 10.10.10.130} ip daddr 10.10.10.1 tcp dport 7681 drop
    nft insert rule inet fw4 prerouting ip saddr {10.10.10.0/24} ip saddr != {10.10.10.100, 10.10.10.200, 10.10.10.120, 10.10.10.130} ip daddr 10.10.10.1 udp dport 7681 drop

brada4 · March 13, 2025, 11:32am

Courtesy Debian 12

        chain nat_prerouting {
                type nat hook prerouting priority dstnat - 10; policy accept;
                meta l4proto { tcp, udp } th dport 53 redirect to :5333
        }

        chain prerouting {
                type filter hook prerouting priority filter; policy accept;
                meta nfproto ipv4 meta l4proto { tcp, udp } ip saddr 10.10.10.0/24 ip saddr != { 10.10.10.100, 10.10.10.120, 10.10.10.130, 10.10.10.200 } ip daddr 10.10.10.1 th dport 7681 drop
        }

brada4 · March 13, 2025, 12:04pm

Further optimisation is to replace ip saadr X ip saddr != Y with aggregated complements list and single address in packet reference

mdhasankhan5512 · March 13, 2025, 3:15pm

could you please give me the updated rules ?

brada4 · March 13, 2025, 3:42pm

Nope, do yourself.

system · March 23, 2025, 3:43pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.