From: palica <palica+netfiler@cupka.name>
To: netfilter@vger.kernel.org
Subject: nftables DNAT not working
Date: Wed, 21 Oct 2015 12:33:13 +0200 [thread overview]
Message-ID: <562769E9.5000200@cupka.name> (raw)
hello list,
please help me debug this.
I have 4.0.5 kernel and 0.5 nftables installed. this is my ruleset
table ip filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related counter packets 303 bytes
18088 accept
ct state invalid counter packets 4 bytes 292 log prefix
"Invalid traffic: " drop
iif lo counter packets 0 bytes 0 accept
ip protocol icmp accept
tcp dport ssh ct state new counter packets 5 bytes 212
log prefix "New SSH connection: " accept
tcp dport { http, https} ct state new counter packets 7
bytes 352 log prefix "New HTTP/S connection: " accept
counter packets 30 bytes 1497 log prefix "Dropped
traffic: " drop
}
chain forward {
type filter hook forward priority 0; policy accept;
ct state new counter packets 0 bytes 0 log prefix
"FORWARD CHAIN: " accept
}
chain output {
type filter hook output priority 0; policy accept;
ct state new counter packets 33 bytes 2476 log prefix
"OUTPUT CHAIN: "
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport { http, https} counter packets 0 bytes 0 log
prefix "DNAT :" dnat 10.0.3.40
log prefix "DNAT prerouting: "
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.0.3.0/24 oif br0 counter packets 0 bytes 0
snat 37.187.110.20
log prefix "SNAT postrouting: "
}
}
table ip6 filter {
chain input {
type filter hook input priority 0; policy accept;
iif lo counter packets 0 bytes 0 accept
ct state established,related counter packets 8 bytes 768
accept
ct state invalid counter packets 0 bytes 0 log prefix
"Invalid traffic: " drop
icmpv6 type { nd-router-advert, nd-neighbor-advert,
echo-request, nd-neighbor-solicit} counter packets 70 bytes 5024 accept
tcp dport ssh ct state new counter packets 0 bytes 0 log
prefix "New SSH connection: " accept
tcp dport { https, http} ct state new counter packets 2
bytes 160 log prefix "New HTTP/S connection: " accept
udp dport domain ct state new counter packets 0 bytes 0
log prefix "New DOMAIN connection: " accept
counter packets 0 bytes 0 log prefix "Dropped
connection: " drop
}
}
these are the only two packets that get logged upon trying to connect to
port 80
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:1c:e6:c7:52:07:40:86:dd
SRC=2001:41d0:0008:d609:0000:0000:0000:0001
DST=2001:41d0:000a:6314:0000:0000:0000:0001 LEN=80 TC=0 HOPLIMIT=59
FLOWLBL=660071 PROTO=TCP SPT=60001 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Oct 21 12:46:26 kernel: New HTTP/S connection: IN=br0 OUT=
MAC=00:22:4d:ad:bc:d0:10:bd:18:e5:ff:80:08:00 SRC=5.135.156.9
DST=37.187.110.20 LEN=60 TOS=0x10 PREC=0x00 TTL=60 ID=15350 DF PROTO=TCP
SPT=58750 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
the network interfaces are br0 the destination for DNAT is a LXC using veth.
What am I doing wrong/ overlooking?
Thank you very much for your time.
Palica
next reply other threads:[~2015-10-21 10:33 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-21 10:33 palica [this message]
2015-10-21 22:01 ` nftables DNAT not working palica
-- strict thread matches above, loose matches on Subject: below --
2014-08-05 8:14 nftables dnat " Matteo Croce
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=562769E9.5000200@cupka.name \
--to=palica+netfiler@cupka.name \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox