Re: Masquerading with selectively open ports -- nftables

[Miroslav Rovis <miro.rovis@croatiafidelis.hr>]

[-- Attachment #1: Type: text/plain, Size: 3486 bytes --]

Hi!

I thought I'd help point to a typo in the Nftables Archlinux Wiki
related to this trailblazer ;-) thread.

If I understand correctly, Johannes Ernst is the main contributor of
that wiki. BTW, a superb tutorial!

In short:

file:///Cmn/dLo/Nft/nftables-ArchWiki.htm#Practical_examples

Different rules for different interfaces

is:

    tcp port http accept
    tcp port https accept

but there ought to be:

    tcp port http accept
    tcp port https accept

And then only the example works, as I showed in my Gentoo Forums topic:

A Firewalled Internet Access to Internal Subnet
https://forums.gentoo.org/viewtopic-t-1041028.html#7897320

On 151028-10:14-0700, Johannes Ernst wrote:
> My box has two interfaces (enp2s0, upstream to ISP with DHCP) and (enp3s0, LAN, static IP assignment). Using nftables, I'm attempting to set it up as a router with NAT, and selective port openings: enp2s0 is supposed to have the ssh port open, while enp3s0 also gets to have http, https, dhcp and dns open so I can run Apache and dnsmasq on it for users on the LAN.
> 
> Ideally I'm looking for a full example that will work if I execute 'nft -f' with it. (Pretty much all related nftables examples I find seem to leave out crucial bits.)
> 
> Here is what I have so far:
> 
> table inet filter {
>   chain input { # this chain serves as a dispatcher
>     type filter hook input priority 0;
> 
>     iifname lo accept # always accept loopback
>     iifname enp2s0 jump input_enp2s0
>     iifname enp3s0 jump input_enp3s0
> 
>     reject with icmp type port-unreachable # refuse traffic from all other interfaces
>    }
>   chain input_enp2s0 {
>     ct state {established,related} accept
>     ct state invalid drop
>     udp dport bootpc accept
>     tcp dport bootpc accept
>     reject with icmp type port-unreachable # all other traffic
>   }
> 
>   chain input_enp3s0 {
>     ct state {established,related} accept
>     ct state invalid drop
>     udp dport bootpc accept
>     tcp dport bootpc accept
>     tcp port http accept
>     tcp port https accept
>     # and a few others
>     reject with icmp type port-unreachable # all other traffic
>   }
> 
>   chain ouput { # for now, we let everything out
>     type filter hook output priority 0;
>     accept
>   }
> }
> 
> Now I’m attempting to add masquerading, and I’m failing:
> > nft add table nat
> > nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
> > nft add chain nat postrouting { type nat hook postrouting priority 0 \; }
> > nft add rule nat postrouting masquerade
> <cmdline>:1:1-35: Error: Could not process rule: No such file or directory
> add rule nat postrouting masquerade
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> 1. This is copied straight from the wiki [1]. What am I doing wrong?
> 
> 2. Even if this command worked, how do I properly integrate it into the rest of my tables/rules?
> 
> I’m on Arch x86_64, nftables 0.5.
> 
> Thanks,
> 
> 
> 
> Johannes.
> 
> 
> [1] http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29
> 
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Happy upcoming Easter to all!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 819 bytes --]