From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Simplifying DNAT Rules using Maps
Date: Thu, 11 Jun 2020 16:43:18 +1000 [thread overview]
Message-ID: <87d06685mh.fsf@goll.lan> (raw)
In-Reply-To: CAPyx93wMpdBEA58ixPxYVWEXGSO3mQZv7Ub=iNX87JXnM2c_NQ@mail.gmail.com
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
Max Ehrlich <max.ehr@gmail.com> writes:
> Just to put some more context, I was able to do this using a map and a
> set as follows:
>
> ```
> define dnat_targets = {
> 80 : 10.0.10.1 . 8080,
> 25565 : 10.0.10.8 . 25565
> }
>
> define dnat_allowed = {
> 10.0.10.1 . 8080,
> 10.0.10.8 . 25565
> }
>
> [...]
>
> table inet filter {
> set dnat_allowed {
> type ipv4_addr . inet_service
> elements = $dnat_allowed
> }
>
> chain forward {
> ip daddr . tcp dport @dnat_allowed accept
> }
> }
> ```
>
> however note that values of the map `dnat_targets` is the same as the
> set `dnat_allowed`, I wonder if there is a way to do this with only
> the map `dnat_targets`? Something like using only the values of the
> map as a set?
FWIW in filter you can just say "allow anything I already DNATted":
# xtables, annoying explicit way
-A FORWARD -p tcp --dports http,https -d www -j ACCEPT
-A FORWARD -p tcp --dports imaps,submission -d mail -j ACCEPT
...
# xtables, easy way
-A FORWARD --ctstate DNAT -j ACCEPT
# nft, easy way
ct status dnat accept
A full ruleset might look like this (attached):
[-- Attachment #2: tmp.nft --]
[-- Type: text/plain, Size: 1500 bytes --]
#!/usr/sbin/nft --file
flush ruleset
table inet my_filter {
chain my_input {
type filter hook input priority filter
policy drop
jump my_prologue comment "deal with boring conntrack/loopback/ICMP/ICMPv6"
tcp dport ssh accept
jump my_epilogue
}
chain my_forward {
type filter hook forward priority filter
policy drop
jump my_prologue comment "deal with boring conntrack/loopback/ICMP/ICMPv6"
jump my_epilogue
}
chain my_prologue {
ct state vmap { established: accept, related: accept, invalid: drop }
ct status dnat accept
iiftype loopback accept
icmp type echo-request accept
icmpv6 type { echo-request, nd-neighbor-solicit } accept
}
chain my_epilogue {
iiftype != ppp reject comment "be polite (reject, not drop) to local networks"
}
}
table ip my_nat {
chain my_postrouting {
type nat hook postrouting priority srcnat
policy accept
oiftype ppp masquerade
}
chain my_prerouting {
type nat hook prerouting priority dstnat
policy accept
iiftype != ppp return comment "port forwards are only relevant from the internet"
define www.example.com = 127.1.2.3
define mail.example.com = 127.254.253.252
tcp dport { http, https } dnat to $www.example.com
tcp dport { smtp, submission, imaps } dnat to $mail.example.com
}
}
list ruleset
prev parent reply other threads:[~2020-06-11 6:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 16:08 Simplifying DNAT Rules using Maps Max Ehrlich
2020-06-07 21:40 ` Pablo Neira Ayuso
2020-06-08 13:42 ` Max Ehrlich
2020-06-08 14:13 ` Max Ehrlich
2020-06-11 6:43 ` Trent W. Buck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d06685mh.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.