Discussion:
nftables NAT
Matteo Croce
2014-08-03 10:35:25 UTC
Permalink
Hi,

I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
with address 192.168.20.1 and a the LAN is eth0 with address
192.168.1.7, ip forwarding is enabled:

[~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0d:b9:34:2b:e8
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:353 errors:0 dropped:0 overruns:0 frame:0
TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39409 (38.4 KiB) TX bytes:39077 (38.1 KiB)

[~]# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 04:f0:21:0c:a3:7d
inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1612 Metric:1
RX packets:475 errors:0 dropped:0 overruns:0 frame:0
TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48202 (47.0 KiB) TX bytes:41345 (40.3 KiB)

[~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
[~]# cat /proc/sys/net/ipv4/ip_forward
1

I've setup nftables like this:

[~]# nft -n list table nat
table ip nat {
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
}
}

It correctly forwards the packet with the new address, but doesn't
send the replies back:

[~]# tcpdump -pni wlan0 icmp
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
[~]# tcpdump -pni eth0 icmp
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64

I can't see any problem in the configuration, any hint?
Cheers,
--
Matteo Croce
OpenWrt Developer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Vigneswaran R
2014-08-04 04:24:02 UTC
Permalink
Post by Matteo Croce
Hi,
I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
with address 192.168.20.1 and a the LAN is eth0 with address
[~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0d:b9:34:2b:e8
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:353 errors:0 dropped:0 overruns:0 frame:0
TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39409 (38.4 KiB) TX bytes:39077 (38.1 KiB)
[~]# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 04:f0:21:0c:a3:7d
inet addr:192.168.20.1 Bcast:192.168.20.255 Mask:255.255.255.0
inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1612 Metric:1
RX packets:475 errors:0 dropped:0 overruns:0 frame:0
TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48202 (47.0 KiB) TX bytes:41345 (40.3 KiB)
[~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
[~]# cat /proc/sys/net/ipv4/ip_forward
1
[~]# nft -n list table nat
table ip nat {
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
}
}
It correctly forwards the packet with the new address, but doesn't
[~]# tcpdump -pni wlan0 icmp
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
[~]# tcpdump -pni eth0 icmp
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64
I can't see any problem in the configuration, any hint?
Just a thought.. Are you accepting packets in the FORWARD chain in both
directions (eth0 -> wlan0, wlan0 -> eth0)?

Vignesh
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Matteo Croce
2014-08-04 08:46:41 UTC
Permalink
It started working after loading the module iptable_nat
Does nftables rely on iptables?
Post by Vigneswaran R
Post by Matteo Croce
Hi,
I'm trying to setup a NAT on my router with nftables, my LAN is wlan0
with address 192.168.20.1 and a the LAN is eth0 with address
[~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0d:b9:34:2b:e8
inet addr:192.168.1.7 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20d:b9ff:fe34:2be8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:353 errors:0 dropped:0 overruns:0 frame:0
TX packets:305 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:39409 (38.4 KiB) TX bytes:39077 (38.1 KiB)
[~]# ifconfig wlan0
wlan0 Link encap:Ethernet HWaddr 04:f0:21:0c:a3:7d
inet addr:192.168.20.1 Bcast:192.168.20.255
Mask:255.255.255.0
inet6 addr: fe80::6f0:21ff:fe0c:a37d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1612 Metric:1
RX packets:475 errors:0 dropped:0 overruns:0 frame:0
TX packets:232 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:48202 (47.0 KiB) TX bytes:41345 (40.3 KiB)
[~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 wlan0
[~]# cat /proc/sys/net/ipv4/ip_forward
1
[~]# nft -n list table nat
table ip nat {
chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.20.0/24 oif eth0 snat 192.168.1.7
}
}
It correctly forwards the packet with the new address, but doesn't
[~]# tcpdump -pni wlan0 icmp
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 11, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 12, length 64
IP 192.168.20.23 > 8.8.8.8: ICMP echo request, id 9107, seq 13, length 64
[~]# tcpdump -pni eth0 icmp
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 21, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 21, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 22, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 22, length 64
IP 192.168.1.7 > 8.8.8.8: ICMP echo request, id 9107, seq 23, length 64
IP 8.8.8.8 > 192.168.1.7: ICMP echo reply, id 9107, seq 23, length 64
I can't see any problem in the configuration, any hint?
Just a thought.. Are you accepting packets in the FORWARD chain in both
directions (eth0 -> wlan0, wlan0 -> eth0)?
Vignesh
--
Matteo Croce
OpenWrt Developer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez
2014-08-04 08:51:03 UTC
Permalink
Post by Matteo Croce
It started working after loading the module iptable_nat
Does nftables rely on iptables?
I guess it should not.

Please provide detailed info about your system: kernel, nft, libnftnl, =
etc..

regards.

--=20
Arturo Borrero Gonz=C3=A1lez
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Matteo Croce
2014-08-04 09:00:11 UTC
Permalink
# uname -a
Linux apu 3.16.0-apu #2 SMP Mon Aug 4 01:43:03 CEST 2014 x86_64 GNU/Lin=
ux
# nft -v
nftables v0.3 (Support Edward Snowden)

libnftnl0 1.0.2-1 (Debian package)

2014-08-04 10:51 GMT+02:00 Arturo Borrero Gonzalez
Post by Arturo Borrero Gonzalez
Post by Matteo Croce
It started working after loading the module iptable_nat
Does nftables rely on iptables?
I guess it should not.
Please provide detailed info about your system: kernel, nft, libnftnl=
, etc..
Post by Arturo Borrero Gonzalez
regards.
--
Arturo Borrero Gonz=C3=A1lez
--=20
Matteo Croce
OpenWrt Developer
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to ***@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Loading...