linux_router:nftables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
linux_router:nftables [2023-07-09 Sun wk27 11:42] – [Hairpin NAT] baumkplinux_router:nftables [2023-11-05 Sun wk44 14:06] (current) – [NFTables Configuration] baumkp
Line 7: Line 7:
  
 Dont forget to ensure the router is allowed to forward packets: Dont forget to ensure the router is allowed to forward packets:
-  * ''sudo sysctl net.ipv6.ip_forward'' to check +  * ''sudo sysctl net.ipv4.ip_forward'' to check 
-  * ''sudo sysctl net.ipv6.ip_forward=1'' to set or =0 turn off+  * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off
   * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6    * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6 
 ====Sample NFTables configuration==== ====Sample NFTables configuration====
Line 247: Line 247:
 <tab9><color blue>       # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\  <tab9><color blue>       # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\ 
-<tab9>       ip daddr <color red>$wan_ip4</color> tcp dport {pop3s, imaps, smtp} counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ +<tab9>       ip daddr <color red>$wan_ip4</color> tcp dport { pop3s, imaps, imap2, smtp, submission, submissions } counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ 
 <tab9>       ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color>  ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\  <tab9>       ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color>  ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\ 
 <tab6>    }\\  <tab6>    }\\ 
Line 255: Line 255:
 <tab9> \\  <tab9> \\ 
 <tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>   ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\  <tab9><color blue>      #Allow internal clients to correctly see external address "hairpin dnat"</color>   ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\ 
-<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$http_server</color> tcp dport {http, https} counter snat <color red>$router_ip4</color>\\  +<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$http_server</color> tcp dport { http, https } counter snat <color red>$router_ip4</color>\\  
-<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$mail_server</color> tcp dport {http, https, pop3s, imaps, smtp} counter snat <color red>$router_ip4</color>\\ +<tab9>       ip saddr <color red>$lan_ip4</color> ip daddr <color red>$mail_server</color> tcp dport { http, https, pop3s, imap2, imaps, smtp, submission, submissions } counter snat <color red>$router_ip4</color>\\ 
 <tab9>\\  <tab9>\\ 
 <tab9><color blue>      #Standard postrouting nat</color>  ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\ <tab9><color blue>      #Standard postrouting nat</color>  ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\
Line 272: Line 272:
 ++++ ++++
  
 +++++mail server ports:|
 +  * smtp {25} / (smtps) submissions {465} / submission {587} - (My mail server uses smtp / submission on ports 25 / 587 respectivily)
 +  * imap {143} / imaps {993} - (My mail server uses starttls on port 143)
 +  * pop3 {110} / pop3s {995} - who still uses pop3?
 +''nft'' translates ports to service namesas defined in /etc/services
 +++++
 ===Some configuration notes=== ===Some configuration notes===
  
  • /app/www/public/data/attic/linux_router/nftables.1688874131.txt.gz
  • Last modified: 2023-07-09 Sun wk27 11:42
  • by baumkp