[Nftables/nftset/Routing] Firewall configuration for routing traffic over WAN instead of wg

Nihilokrat · December 23, 2022, 12:41pm

Hi everyone,

I am currently struggling to translate a pre-nftables configuration/setup correctly to be used with 22.03.2.

My setup is an Archer C6v3 behind a modem, connected via WAN and routing all traffic from LAN over a wireguard interface. In order to avoid the geoblocking of several streaming services I need to route traffic directed to these domains directly over WAN.

To do so with nftables, I have installed dnsmasq 2.87 to be able to use nftset.

The old process of setting everything up was as follows:

ipset create streaminglist hash:ip
echo "9 streaminglist" >> /etc/iproute2/rt_tables
uci set firewall.@defaults[0].forward='ACCEPT'
uci commit
echo "ipset=/example.com/streaminglist" >> /etc/dnsmasq.conf
/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

ip rule add prio 2 fwmark 3 lookup streaminglist
ip route add table streaminglist [defaultroute]

iptables -I PREROUTING 1 -t mangle -m set -w --match-set streaminglist dst -j MARK --set-mark 3

Now with v22.03.2 I have followed the same path for most of it.

echo "9 streaminglist" >> /etc/iproute2/rt_tables
uci set firewall.@defaults[0].forward='ACCEPT'
uci commit

echo "nftset=/example.com/#inet#streaminglist#streaming" >> /etc/dnsmasq.conf

/etc/init.d/dnsmasq restart
/etc/init.d/firewall restart

ip rule add prio 2 fwmark 3 lookup streaminglist
ip route add table streaminglist [defaultroute]

What I am struggling with, is the following:
How do I translate the iptables command correctly, especially regarding the marking?

I know I need to create a new table, streaminglist, but I am struggling with how to fill it. Do I need to create a set in order for nftset to fill it or does nftset do it on its own? Which chains and rules do I need to have the packages to the domains nftset translates into elements (IPs) marked (and forwarded?)?

I fiddled around a lot but never seemed to get the correct combination and have now reset everything and am looking for help. Any input is appreciated!

trendy · December 23, 2022, 12:55pm

This might be useful
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

Nihilokrat · December 23, 2022, 1:26pm

Unfortunately this doesn't seem to yield a correct result, as the match and mark part is ignored.

# Generated by iptables-save v1.8.4 on Fri Dec 23 14:17:06 2022
*mangle
:PREROUTING ACCEPT [233:31465]
:INPUT ACCEPT [233:31465]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [254:32466]
:POSTROUTING ACCEPT [254:32466]
-A PREROUTING -m set --match-set streaminglist dst -j MARK --set-xmark 0x3/0xffffffff
COMMIT
# Completed on Fri Dec 23 14:17:06 2022
# Generated by iptables-save v1.8.4 on Fri Dec 23 14:17:06 2022
*filter
:INPUT ACCEPT [20786:22627532]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16080:2341401]
COMMIT
# Completed on Fri Dec 23 14:17:06 2022

is translated to:

# Translated by iptables-restore-translate v1.8.4 on Fri Dec 23 14:17:26 2022
add table ip mangle
add chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }
add chain ip mangle INPUT { type filter hook input priority -150; policy accept; }
add chain ip mangle FORWARD { type filter hook forward priority -150; policy accept; }
add chain ip mangle OUTPUT { type route hook output priority -150; policy accept; }
add chain ip mangle POSTROUTING { type filter hook postrouting priority -150; policy accept; }
# -t mangle -A PREROUTING -m set --match-set streaminglist dst -j MARK --set-xmark 0x3/0xffffffff 
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
# Completed on Fri Dec 23 14:17:26 2022

pavelgl · December 23, 2022, 1:49pm

You should be able to use the existing mangle prerouting chain and the rule should look like this:

nft insert rule inet fw4 mangle_prerouting ip daddr @streaminglist counter meta mark set 0x3

Check the hits by running nft list chain inet fw4 mangle_prerouting

Also check the result of nft list sets

Nihilokrat · December 23, 2022, 3:17pm

Thank you very much, this seems to be working. I had to add the sets for ipv4 and ipv6 respectively first before your rule stopped giving an error but now, after going through the process twice per command line and once automated via script, with 2 reboots inbetween, my IP info tests give good results!

I'll do some further testing, so far I am very happy though, double thanks again!

system · January 2, 2023, 3:18pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.