From: Florian Westphal <fw@strlen.de>
To: david NEW <david@hajes.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter@vger.kernel.org
Subject: Re: nftables static routing fails
Date: Mon, 13 Jan 2020 23:33:48 +0100 [thread overview]
Message-ID: <20200113223348.GK795@breakpoint.cc> (raw)
In-Reply-To: <601b51d0-e31a-0de7-8827-a8e92bcdabcd@hajes.org>
david NEW <david@hajes.org> wrote:
> I did run "tcpdump port 80" where I saw incoming packet. Then repeated
> process but watching port 8080 this time but no packets have been captured.
> I assumed it never went through.
>
> I have never worked with tcpdump before so there may be some mistakes on my
> side.
>
> I do not know what is "reverse xlate rule" - can you show me how would you
> write this rule, please?
It won't work for your use case.
> I do not care how it is written as long as netfilter rule checks source
> address (from set) that asks for connection to port 80, 443...and redirects
> it to IP:8080 where web server error page awaits.
Use nat + redirect.
Stateless nat only works for simple use cases, like this for instance:
table inet crap {
chain prerouting {
type filter hook prerouting priority -500; policy accept;
ip saddr 192.168.7.10 tcp dport { 80, 443 } ip daddr set 192.168.0.7 tcp dport set 8080 notrack
}
chain output {
type route hook output priority -500; policy accept;
tcp sport 8080 tcp sport set 80 ip saddr set 192.168.7.1
}
}
This works, client connects to 192.168.7.1 80, but really talks to 192.168.0.7:8080.
The output rule is needed to reverse translate 192.168.0.7 to 192.168.7.1 and 8080 to 80.
Without it, you get
192.168.7.10.39472 > 192.168.7.1.80: Flags [S], seq 16468682, win 64..
192.168.0.7.8080 > 192.168.7.10.39472: Flags [S.], seq 47272, ack 16468683, win 65 ..
192.168.7.10.39472 > 192.168.0.7.8080: Flags [R], seq 16468683
In your case, you don't have the original address anymore so you can't create the reverse rule.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip saddr @bad tcp dport { 80, 443 } redirect to :8080
}
}
will work because conntrack/nat handles the reverse translation.
prev parent reply other threads:[~2020-01-13 22:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-13 21:13 nftables static routing fails david NEW
2020-01-13 21:28 ` Daniel
2020-01-13 21:40 ` Florian Westphal
2020-01-13 21:59 ` david NEW
2020-01-13 22:33 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200113223348.GK795@breakpoint.cc \
--to=fw@strlen.de \
--cc=david@hajes.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.