From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Johannes Ernst <johannes.ernst@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Masquerading with selectively open ports -- nftables
Date: Thu, 29 Oct 2015 00:15:33 +0100 [thread overview]
Message-ID: <20151028231533.GA2371@salvia> (raw)
In-Reply-To: <E3A2E5F1-41EB-41BA-A45D-7FEF5680DC15@gmail.com>
On Wed, Oct 28, 2015 at 10:14:35AM -0700, Johannes Ernst wrote:
> My box has two interfaces (enp2s0, upstream to ISP with DHCP) and
> (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting
> to set it up as a router with NAT, and selective port openings:
> enp2s0 is supposed to have the ssh port open, while enp3s0 also gets
> to have http, https, dhcp and dns open so I can run Apache and
> dnsmasq on it for users on the LAN.
>
> Ideally I'm looking for a full example that will work if I execute
> 'nft -f' with it. (Pretty much all related nftables examples I find
> seem to leave out crucial bits.)
You can probably contribute these examples to the wiki. Or I'd be
happy to get more or less generic scripts as examples that we can
place in the wiki.
Otherwise, I'll try to find time to add this myself.
> Now I’m attempting to add masquerading, and I’m failing:
> > nft add table nat
> > nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> > nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> > nft add rule nat postrouting masquerade
> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
> add rule nat postrouting masquerade
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> 1. This is copied straight from the wiki [1]. What am I doing wrong?
The lines above work fine here.
Masquerading was added in 3.18, what kernel version are you using?
http://wiki.nftables.org/wiki-nftables/index.php/List_of_updates_since_Linux_kernel_3.13
Moreover, make sure you also compiled masquerading support for nf_tables:
CONFIG_NFT_MASQ=m
next prev parent reply other threads:[~2015-10-28 23:15 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-28 17:14 Masquerading with selectively open ports -- nftables Johannes Ernst
2015-10-28 23:15 ` Pablo Neira Ayuso [this message]
2015-10-29 4:51 ` Johannes Ernst
2015-10-29 8:11 ` Arturo Borrero Gonzalez
2015-10-29 19:55 ` Pablo Neira Ayuso
2015-10-30 10:50 ` Arturo Borrero Gonzalez
2015-10-30 11:46 ` Pablo Neira Ayuso
2015-10-30 18:25 ` Johannes Ernst
2015-10-30 18:27 ` Arturo Borrero Gonzalez
2015-10-30 18:56 ` Johannes Ernst
2015-11-02 20:29 ` Johannes Ernst
2015-10-29 22:21 ` Johannes Ernst
2015-10-29 23:48 ` kernel modules: was " Johannes Ernst
2015-10-30 11:16 ` Pablo Neira Ayuso
2016-03-25 20:37 ` Miroslav Rovis
2016-03-26 5:06 ` Miroslav Rovis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151028231533.GA2371@salvia \
--to=pablo@netfilter.org \
--cc=johannes.ernst@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.