Need help translating iptables to nftables

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi,

I'm trying to translate from iptables to nftables and came to the conclusion that I am a complete moron when it comes to networking :wink:

Old rules:

iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 53 -j DNAT --to 192.168.1.1:53
iptables -t nat -I PREROUTING -i br-lan -p tcp --dport 123 -j DNAT --to 192.168.1.1:123
iptables -t nat -I PREROUTING -i br-lan -p udp --dport 123 -j DNAT --to 192.168.1.1:123

New rules:

nft insert rule ip nat PREROUTING iifname "br-lan" tcp dport 53 counter dnat to 192.168.1.1:53
nft insert rule ip nat PREROUTING iifname "br-lan" udp dport 53 counter dnat to 192.168.1.1:53
nft insert rule ip nat PREROUTING iifname "br-lan" tcp dport 123 counter dnat to 192.168.1.1:123
nft insert rule ip nat PREROUTING iifname "br-lan" udp dport 123 counter dnat to 192.168.1.1:123

But its not working, as I get errors. So I'm missing something obviously.

Some pointers would be really appreciated.

2

Why can't you add these via UCI syntax?

1 Like
3

You could put the following in /etc/config/firewall

config redirect 'redirect_53'
option name 'redirect_53'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'

config redirect 'redirect_123'
option name 'redirect_123'
option src 'lan'
option proto 'tcp udp'
option src_dport '123'
option dest_port '123'
option target 'DNAT'

I'm assuming 192.168.1.1 is the device the firewall is running on. Are you using these rules to force DNS and NTP via your router?

4

image
image944×316 39 KB

Why does it say "this device" and not "wan" ? (trying to understand)

5

Aren't you trying to force any traffic from machines on your lan to port 53 and 123 to your router?

Are you forcing port 53 because of adblock?

Are you running a NTP server that you want to force all clients to use?

6

yes, all 53,123 needs to be forced through the router because of adblock and ntp.

7

I'm not sure why it says this device but I guess if you don't specify a dest_ip it defaults to the device itself?

I tried to figure it out in the documentation but I can't see it. Perhaps you can figure it out from here or someone else can explain?

FYI, adblock has an option to create the force dns rules for you, so maybe you don't need to put it in manually anymore and let adblock take care of it.

1 Like
8

Your router exists on all network it's connected to, not just WAN.

9

Yes, you were correct, those were old remnants from adblock. Checking the "force dns rules" auto adds them to the firewall

image
image937×246 40.8 KB

@lleachii
ahh, that makes sense

regarding your first answer to my question:
uci? can I assume its command line syntax is independent from iptables/nftables? so a future migration to fw5 would still use the same uci syntax?

10

It’s hardcoded to say this device.

11

It's independent of iptables/nftables. Openwrt is translating it in the background.

12

@dave14305
I figured that someone wrote it, but I fail to understand the significance. Please elaborate

@d687r02j8g
That's really nice :smiley:

13

I have no idea what the truth is, but I would speculate that originally port forwards were meant to deal with traffic arriving from the WAN to the router’s WAN IP (this device), but could also be used to redirect traffic from the LAN with similar functions, regardless of where the traffic was heading. In other words, redirect traffic as it arrives at “this device” regardless of where it originated.

At least that’s what I tell myself so I can sleep at night.

1 Like
14

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.