From: palica <palica+netfiler@cupka.name>
To: netfilter@vger.kernel.org
Subject: nftables DNAT not working
Date: Wed, 21 Oct 2015 12:33:13 +0200 [thread overview]
Message-ID: <562769E9.5000200@cupka.name> (raw)
hello list,
please help me debug this.
I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related counter packets 303 bytes
18088 accept
ct state invalid counter packets 4 bytes 292 log prefix
"Invalid traffic: " drop
iif lo counter packets 0 bytes 0 accept
ip protocol icmp accept
tcp dport ssh ct state new counter packets 5 bytes 212
log prefix "New SSH connection: " accept
tcp dport { http, https} ct state new counter packets 7
bytes 352 log prefix "New HTTP/S connection: " accept
counter packets 30 bytes 1497 log prefix "Dropped
traffic: " drop
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state new counter packets 0 bytes 0 log prefix
"FORWARD CHAIN: " accept
}
chain output {
type filter hook output priority 0; policy accept;
ct state new counter packets 33 bytes 2476 log prefix
"OUTPUT CHAIN: "
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport { http, https} counter packets 0 bytes 0 log
prefix "DNAT :" dnat 10.0.3.40
log prefix "DNAT prerouting: "
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
snat 37.187.110.20
log prefix "SNAT postrouting: "
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy accept;
iif lo counter packets 0 bytes 0 accept
ct state established,related counter packets 8 bytes 768
accept
ct state invalid counter packets 0 bytes 0 log prefix
"Invalid traffic: " drop
icmpv6 type { nd-router-advert, nd-neighbor-advert,
echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
tcp dport ssh ct state new counter packets 0 bytes 0 log
prefix "New SSH connection: " accept
tcp dport { https, http} ct state new counter packets 2
bytes 160 log prefix "New HTTP/S connection: " accept
udp dport domain ct state new counter packets 0 bytes 0
log prefix "New DOMAIN connection: " accept
counter packets 0 bytes 0 log prefix "Dropped
connection: " drop
}
}
these are the only two packets that get logged upon trying to connect to
port 80
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
SRC=2001:41d0:0008:d609:0000:0000:0000:0001
DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
the network interfaces are br0 the destination for DNAT is a LXC using veth.
What am I doing wrong/ overlooking?
Thank you very much for your time.
Palica
next reply other threads:[~2015-10-21 10:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-21 10:33 palica [this message]
2015-10-21 22:01 ` nftables DNAT not working palica
-- strict thread matches above, loose matches on Subject: below --
2014-08-05 8:14 nftables dnat " Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562769E9.5000200@cupka.name \
--to=palica+netfiler@cupka.name \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.