From: Florian Westphal <fw@strlen.de>
To: david NEW <david@hajes.org>
Cc: Florian Westphal <fw@strlen.de>, netfilter@vger.kernel.org
Subject: Re: nftables static routing fails
Date: Mon, 13 Jan 2020 23:33:48 +0100 [thread overview]
Message-ID: <20200113223348.GK795@breakpoint.cc> (raw)
In-Reply-To: <601b51d0-e31a-0de7-8827-a8e92bcdabcd@hajes.org>
david NEW <david@hajes.org> wrote:
> I did run "tcpdump port 80" where I saw incoming packet. Then repeated
> process but watching port 8080 this time but no packets have been captured.
> I assumed it never went through.
>
> I have never worked with tcpdump before so there may be some mistakes on my
> side.
>
> I do not know what is "reverse xlate rule" - can you show me how would you
> write this rule, please?
It won't work for your use case.
> I do not care how it is written as long as netfilter rule checks source
> address (from set) that asks for connection to port 80, 443...and redirects
> it to IP:8080 where web server error page awaits.
Use nat + redirect.
Stateless nat only works for simple use cases, like this for instance:
table inet crap {
chain prerouting {
type filter hook prerouting priority -500; policy accept;
ip saddr 192.168.7.10 tcp dport { 80, 443 } ip daddr set 192.168.0.7 tcp dport set 8080 notrack
}
chain output {
type route hook output priority -500; policy accept;
tcp sport 8080 tcp sport set 80 ip saddr set 192.168.7.1
}
}
This works, client connects to 192.168.7.1 80, but really talks to 192.168.0.7:8080.
The output rule is needed to reverse translate 192.168.0.7 to 192.168.7.1 and 8080 to 80.
Without it, you get
192.168.7.10.39472 > 192.168.7.1.80: Flags [S], seq 16468682, win 64..
192.168.0.7.8080 > 192.168.7.10.39472: Flags [S.], seq 47272, ack 16468683, win 65 ..
192.168.7.10.39472 > 192.168.0.7.8080: Flags [R], seq 16468683
In your case, you don't have the original address anymore so you can't create the reverse rule.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip saddr @bad tcp dport { 80, 443 } redirect to :8080
}
}
will work because conntrack/nat handles the reverse translation.
prev parent reply other threads:[~2020-01-13 22:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-13 21:13 nftables static routing fails david NEW
2020-01-13 21:28 ` Daniel
2020-01-13 21:40 ` Florian Westphal
2020-01-13 21:59 ` david NEW
2020-01-13 22:33 ` Florian Westphal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200113223348.GK795@breakpoint.cc \
--to=fw@strlen.de \
--cc=david@hajes.org \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox