Re: nftables NAT - Vigneswaran R

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vigneswaran R <vignesh@atc.tcs.com>
To: Matteo Croce <technoboy85@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: nftables NAT
Date: Mon, 04 Aug 2014 09:54:02 +0530	[thread overview]
Message-ID: <53DF0AE2.5080202@atc.tcs.com> (raw)
In-Reply-To: <CAFnufp1kVrtPXm45VRYZK9G+oHBS0Uy9S_sfYzSmapSB5SdR0w@mail.gmail.com>

On 08/03/2014 04:05 PM, Matteo Croce wrote:
> Hi,
>
> I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
> with address 192.168.20.1 and a the LAN is eth0 with address
> 192.168.1.7, ip forwarding is enabled:
>
> [~]# ifconfig eth0
> eth0      Link encap:Ethernet  HWaddr 00:0d:b9:34:2b:e8
>            inet addr:192.168.1.7  Bcast:192.168.1.255  Mask:255.255.255.0
>            inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>            RX packets:353 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:39409 (38.4 KiB)  TX bytes:39077 (38.1 KiB)
>
> [~]# ifconfig wlan0
> wlan0     Link encap:Ethernet  HWaddr 04:f0:21:0c:a3:7d
>            inet addr:192.168.20.1  Bcast:192.168.20.255  Mask:255.255.255.0
>            inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
>            UP BROADCAST RUNNING MULTICAST  MTU:1612  Metric:1
>            RX packets:475 errors:0 dropped:0 overruns:0 frame:0
>            TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
>            collisions:0 txqueuelen:1000
>            RX bytes:48202 (47.0 KiB)  TX bytes:41345 (40.3 KiB)
>
> [~]# route -n
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
> 192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
> 192.168.20.0    0.0.0.0         255.255.255.0   U     0      0        0 wlan0
> [~]# cat /proc/sys/net/ipv4/ip_forward
> 1
>
> I've setup nftables like this:
>
> [~]# nft -n list table nat
> table ip nat {
>          chain postrouting {
>                   type nat hook postrouting priority 0;
>                   ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
>          }
> }
>
> It correctly forwards the packet with the new address, but doesn't
> send the replies back:
>
> [~]# tcpdump -pni wlan0 icmp
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
> IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
> [~]# tcpdump -pni eth0 icmp
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
> IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
> IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64
>
> I can't see any problem in the configuration, any hint?

Just a thought.. Are you accepting packets in the FORWARD chain in both 
directions (eth0 -> wlan0, wlan0 -> eth0)?

Vignesh

next prev parent reply	other threads:[~2014-08-04  4:24 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-03 10:35 nftables NAT Matteo Croce
2014-08-04  4:24 ` Vigneswaran R [this message]
2014-08-04  8:46   ` Matteo Croce
2014-08-04  8:51     ` Arturo Borrero Gonzalez
2014-08-04  9:00       ` Matteo Croce

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53DF0AE2.5080202@atc.tcs.com \
    --to=vignesh@atc.tcs.com \
    --cc=netfilter@vger.kernel.org \
    --cc=technoboy85@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.