From: Florian Westphal <fw@strlen.de>
To: Verachten Bruno <gounthar@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Is it possible to get a transparent proxy with Redsocks when using the new nftables?
Date: Tue, 3 Mar 2020 16:57:12 +0100 [thread overview]
Message-ID: <20200303155712.GA14081@strlen.de> (raw)
In-Reply-To: <CACtV=deJ2Sfq1q0r=MYvFOyh9B0UHkRTTnCYPW4yxMVfGLJyeA@mail.gmail.com>
Verachten Bruno <gounthar@gmail.com> wrote:
> I've been using Redsocks for a few months now on a Ubuntu "18.04.3 LTS
> (Bionic Beaver)" machine. This machine has iptables, and not nftables.
> So I have a few rules to redirect 80,443,9048,1935 and so on.
>
> (buster)", which has nftables. I converted the existing rules thanks
> to
>
> iptables-save > save.txt
> iptables-restore-translate -f save.txt > ruleset.nft
> nft -f ruleset.nft
>
> Nothing seems to work, as a git command or anything else is just
> falling in timeout.
> Here is the configuration I get once the rules have been imported:
> table ip filter {
> chain INPUT {
> type filter hook input priority 0; policy accept;
> }
>
> chain FORWARD {
> type filter hook forward priority 0; policy accept;
> }
>
> chain OUTPUT {
> type filter hook output priority 0; policy accept;
> }
> }
The above chains are unneded and can be removed.
> table ip nat {
> chain PREROUTING {
> type nat hook prerouting priority -100; policy accept;
> meta l4proto tcp tcp dport 443 counter packets 0 bytes
> 0 jump REDSOCKS
> meta l4proto tcp tcp dport 1935 counter packets 0
> bytes 0 jump REDSOCKS
meta l4proto tcp tcp dport { 443, 1935 , ... } jump REDSOCKS
> ip daddr 240.0.0.0/4 counter packets 0 bytes 0 return
given all counters are 0 i would guess you use an older kernel
where nft nat and iptables nat cannot coexist.
I suspect you need to unload iptable_nat module.
next prev parent reply other threads:[~2020-03-03 15:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-03 14:27 Is it possible to get a transparent proxy with Redsocks when using the new nftables? Verachten Bruno
2020-03-03 15:57 ` Florian Westphal [this message]
2020-03-05 10:35 ` Verachten Bruno
2020-03-05 11:12 ` Florian Westphal
[not found] ` <CACtV=ddf+pB3Y2EX+jRV=J5MswYouQGwx0P6Zyhe0Ex=OPXHWQ@mail.gmail.com>
2020-06-25 17:11 ` Verachten Bruno
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200303155712.GA14081@strlen.de \
--to=fw@strlen.de \
--cc=gounthar@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.