nftables
[root@evpn2 ~]# yum install -y nftables Repository base is listed more than once in the configuration CentOS-8 - Updates 24 B/s | 38 B 00:01 Failed to synchronize cache for repo 'updates', ignoring this repo. Last metadata expiration check: 0:41:40 ago on Fri 20 Mar 2020 09:42:20 PM CST. Package nftables-1:0.9.0-8.el8.aarch64 is already installed. Dependencies resolved. Nothing to do. Complete! [root@evpn2 ~]# iptables -t nat -F [root@evpn2 ~]# nft add table nat [root@evpn2 ~]# nft add chain nat prerouting { type nat hook prerouting priority 0 \; } [root@evpn2 ~]# nft add chain nat postrouting { type nat hook postrouting priority 100 \; } [root@evpn2 ~]# nft add rule nat postrouting oifname default_g1 counter masquerade [root@evpn2 ~]# nft add rule nat postrouting oifname enp1s0 -j MASQUERADE Error: syntax error, unexpected newline add rule nat postrouting oifname enp1s0 MASQUERADE ^ [root@evpn2 ~]# nft add rule nat postrouting oifname enp1s0 counter masquerade
[root@evpn2 ~]# nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } table ip6 filter { chain INPUT { type filter hook input priority 0; policy accept; } chain FORWARD { type filter hook forward priority 0; policy accept; } chain OUTPUT { type filter hook output priority 0; policy accept; } } table bridge filter { chain INPUT { type filter hook input priority -200; policy accept; } chain FORWARD { type filter hook forward priority -200; policy accept; } chain OUTPUT { type filter hook output priority -200; policy accept; } } table ip security { chain INPUT { type filter hook input priority 150; policy accept; } chain FORWARD { type filter hook forward priority 150; policy accept; } chain OUTPUT { type filter hook output priority 150; policy accept; } } table ip raw { chain PREROUTING { type filter hook prerouting priority -300; policy accept; } chain OUTPUT { type filter hook output priority -300; policy accept; } } table ip mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } table ip nat { chain PREROUTING { type nat hook prerouting priority -100; policy accept; } chain INPUT { type nat hook input priority 100; policy accept; } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; } chain OUTPUT { type nat hook output priority -100; policy accept; } chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "default_g1" counter packets 9 bytes 756 masquerade oifname "enp1s0" counter packets 178 bytes 14867 masquerade } } table ip6 security { chain INPUT { type filter hook input priority 150; policy accept; } chain FORWARD { type filter hook forward priority 150; policy accept; } chain OUTPUT { type filter hook output priority 150; policy accept; } } table ip6 raw { chain PREROUTING { type filter hook prerouting priority -300; policy accept; } chain OUTPUT { type filter hook output priority -300; policy accept; } } table ip6 mangle { chain PREROUTING { type filter hook prerouting priority -150; policy accept; } chain INPUT { type filter hook input priority -150; policy accept; } chain FORWARD { type filter hook forward priority -150; policy accept; } chain OUTPUT { type route hook output priority -150; policy accept; } chain POSTROUTING { type filter hook postrouting priority -150; policy accept; } } table ip6 nat { chain PREROUTING { type nat hook prerouting priority -100; policy accept; } chain INPUT { type nat hook input priority 100; policy accept; } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; } chain OUTPUT { type nat hook output priority -100; policy accept; } } table bridge nat { chain PREROUTING { type filter hook prerouting priority -300; policy accept; } chain OUTPUT { type filter hook output priority 100; policy accept; } chain POSTROUTING { type filter hook postrouting priority 300; policy accept; } }
NAT First of all, the nat module is needed: modprobe nft_nat Next, you need to make the kernel aware of NAT for the protocol (here IPv4): modprobe nft_chain_nat_ipv4 Now, we can create NAT dedicated chain: nft add table nat nft add chain nat post \{ type nat hook postrouting priority 0 \; \} nft add chain nat pre \{ type nat hook prerouting priority 0 \; \} We can now add NAT rules: nft add rule nat post ip saddr 192.168.56.0/24 meta oif wlan0 snat 192.168.1.137 nft add rule nat pre udp dport 53 ip saddr 192.168.56.0/24 dnat 8.8.8.8:53 First one is NATing all trafic from 192.168.56.0/24 outgoing to wlan0 interface to the IP 192.168.1.137. Second one is redirecting all DNS trafic from 192.168.56.0/24 to the 8.8.8.8 server. It is possible to NAT to a range of address: nft add rule nat post ip saddr 192.168.56.0/24 meta oif wlan0 snat 192.168.1.137-192.168.1.140 Procedure Create a table: # nft add table nat Add the prerouting and postrouting chains to the table: # nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; } IMPORTANT Even if you do not add a rule to the postrouting chain, the nftables framework requires this chain to match outgoing packet replies. Note that you must pass the -- option to the nft command to avoid that the shell interprets the negative priority value as an option of the nft command. Add a rule to the prerouting chain that redirects incoming traffic on the ens3 interface sent to port 80 and 443 to the host with the 192.0.2.1 IP: # nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1 Depending on your environment, add either a SNAT or masquerading rule to change the source address: If the ens3 interface used dynamic IP addresses, add a masquerading rule: # nft add rule nat postrouting oifname "ens3" masquerade If the ens3 interface uses a static IP address, add a SNAT rule. For example, if the ens3 uses the 198.51.100.1 IP address: nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1
nft add rule nat post udp sport 29000 ip saddr 192.168.101.102 udp dport 40000 ip daddr 192.168.101.102 snat 192.168.101.55:35000
nft add rule nat pre udp sport 29000 ip saddr 192.168.101.103 udp dport 32000 ip daddr 192.168.101.55 dnat 192.168.101.102:40000
[root@evpn2 ~]# nft list nat Error: syntax error, unexpected string list nat ^^^ [root@evpn2 ~]# nft list table nat table ip nat { chain PREROUTING { type nat hook prerouting priority -100; policy accept; } chain INPUT { type nat hook input priority 100; policy accept; } chain POSTROUTING { type nat hook postrouting priority 100; policy accept; } chain OUTPUT { type nat hook output priority -100; policy accept; } chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "default_g1" counter packets 9 bytes 756 masquerade oifname "enp1s0" counter packets 178 bytes 14867 masquerade } }
[root@evpn2 ~]# nft -h Usage: nft [ options ] [ cmds... ] Options: -h, --help Show this help -v, --version Show version information -c, --check Check commands validity without actually applying the changes. -f, --file <filename> Read input from <filename> -i, --interactive Read input from interactive CLI -j, --json Format output in JSON -n, --numeric When specified once, show network addresses numerically (default behaviour). Specify twice to also show Internet services (port numbers) numerically. Specify three times to also show protocols, user IDs, and group IDs numerically. -s, --stateless Omit stateful information of ruleset. -N Translate IP addresses to names. -a, --handle Output rule handle. -e, --echo Echo what has been added, inserted or replaced. -I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all) [root@evpn2 ~]# nft -v nftables v0.9.0 (Fearless Fosdick)
[root@evpn2 ~]# nft list table nat
table ip nat {
chain PREROUTING {
type nat hook prerouting priority -100; policy accept;
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority 100; policy accept;
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
}
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "default_g1" counter packets 26 bytes 2152 masquerade
oifname "enp1s0" counter packets 3208 bytes 261389 masquerade
}
}
delete rule from inet table. # nft -a list ruleset table inet filter { chain input { type filter hook input priority 0; policy accept; ct state established,related accept # handle 4 ip saddr 10.1.1.1 tcp dport ssh accept # handle 5 ... # delete the rule with handle 5 # nft delete rule inet filter input handle 5
浙公网安备 33010602011771号