From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: Simplifying DNAT Rules using Maps
Date: Thu, 11 Jun 2020 16:43:18 +1000 [thread overview]
Message-ID: <87d06685mh.fsf@goll.lan> (raw)
In-Reply-To: CAPyx93wMpdBEA58ixPxYVWEXGSO3mQZv7Ub=iNX87JXnM2c_NQ@mail.gmail.com
[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]
Max Ehrlich <max.ehr@gmail.com> writes:
> Just to put some more context, I was able to do this using a map and a
> set as follows:
>
> ```
> define dnat_targets = {
> 80 : 10.0.10.1 . 8080,
> 25565 : 10.0.10.8 . 25565
> }
>
> define dnat_allowed = {
> 10.0.10.1 . 8080,
> 10.0.10.8 . 25565
> }
>
> [...]
>
> table inet filter {
> set dnat_allowed {
> type ipv4_addr . inet_service
> elements = $dnat_allowed
> }
>
> chain forward {
> ip daddr . tcp dport @dnat_allowed accept
> }
> }
> ```
>
> however note that values of the map `dnat_targets` is the same as the
> set `dnat_allowed`, I wonder if there is a way to do this with only
> the map `dnat_targets`? Something like using only the values of the
> map as a set?
FWIW in filter you can just say "allow anything I already DNATted":
# xtables, annoying explicit way
-A FORWARD -p tcp --dports http,https -d www -j ACCEPT
-A FORWARD -p tcp --dports imaps,submission -d mail -j ACCEPT
...
# xtables, easy way
-A FORWARD --ctstate DNAT -j ACCEPT
# nft, easy way
ct status dnat accept
A full ruleset might look like this (attached):
[-- Attachment #2: tmp.nft --]
[-- Type: text/plain, Size: 1500 bytes --]
#!/usr/sbin/nft --file
flush ruleset
table inet my_filter {
chain my_input {
type filter hook input priority filter
policy drop
jump my_prologue comment "deal with boring conntrack/loopback/ICMP/ICMPv6"
tcp dport ssh accept
jump my_epilogue
}
chain my_forward {
type filter hook forward priority filter
policy drop
jump my_prologue comment "deal with boring conntrack/loopback/ICMP/ICMPv6"
jump my_epilogue
}
chain my_prologue {
ct state vmap { established: accept, related: accept, invalid: drop }
ct status dnat accept
iiftype loopback accept
icmp type echo-request accept
icmpv6 type { echo-request, nd-neighbor-solicit } accept
}
chain my_epilogue {
iiftype != ppp reject comment "be polite (reject, not drop) to local networks"
}
}
table ip my_nat {
chain my_postrouting {
type nat hook postrouting priority srcnat
policy accept
oiftype ppp masquerade
}
chain my_prerouting {
type nat hook prerouting priority dstnat
policy accept
iiftype != ppp return comment "port forwards are only relevant from the internet"
define www.example.com = 127.1.2.3
define mail.example.com = 127.254.253.252
tcp dport { http, https } dnat to $www.example.com
tcp dport { smtp, submission, imaps } dnat to $mail.example.com
}
}
list ruleset
prev parent reply other threads:[~2020-06-11 6:43 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-03 16:08 Simplifying DNAT Rules using Maps Max Ehrlich
2020-06-07 21:40 ` Pablo Neira Ayuso
2020-06-08 13:42 ` Max Ehrlich
2020-06-08 14:13 ` Max Ehrlich
2020-06-11 6:43 ` Trent W. Buck [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d06685mh.fsf@goll.lan \
--to=trentbuck@gmail.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox