Both sides previous revision Previous revision Next revision | Previous revision |
linux_router:nftables [2023-07-09 Sun wk27 11:42] – [Hairpin NAT] baumkp | linux_router:nftables [2023-11-05 Sun wk44 14:06] (current) – [NFTables Configuration] baumkp |
---|
| |
Dont forget to ensure the router is allowed to forward packets: | Dont forget to ensure the router is allowed to forward packets: |
* ''sudo sysctl net.ipv6.ip_forward'' to check | * ''sudo sysctl net.ipv4.ip_forward'' to check |
* ''sudo sysctl net.ipv6.ip_forward=1'' to set or =0 turn off | * ''sudo sysctl net.ipv4.ip_forward=1'' to set or =0 turn off |
* ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6 | * ''sudo sysctl net.ipv6.conf.all.forwarding=1'' similar for ipv6 |
====Sample NFTables configuration==== | ====Sample NFTables configuration==== |
<tab9><color blue> # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\ | <tab9><color blue> # dnat - direct allowed by port number wan incoming services to correct lan server ip.</color>\\ |
<tab9> ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\ | <tab9> ip daddr <color red>$wan_ip4</color> tcp dport {http, https} counter dnat to <color red>$http_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the http or https ports are preroute dnat to the webserver IP address.</color>++\\ |
<tab9> ip daddr <color red>$wan_ip4</color> tcp dport {pop3s, imaps, smtp} counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ | <tab9> ip daddr <color red>$wan_ip4</color> tcp dport { pop3s, imaps, imap2, smtp, submission, submissions } counter dnat to <color red>$mail_server</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the mail ports, pop3s, imaps or smtp ports are preroute dnat to the mail server IP address.</color>++\\ |
<tab9> ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\ | <tab9> ip daddr <color red>$wan_ip4</color> udp dport <color red>$vpn_port</color> counter dnat to <color red>$vpn_ip4</color> ++ | \\ + <color #202000/#F0F0E0> Incoming WAN packets to the VPN port are preroute dnat to the VPN IP address.</color>++\\ |
<tab6> }\\ | <tab6> }\\ |
<tab9> \\ | <tab9> \\ |
<tab9><color blue> #Allow internal clients to correctly see external address "hairpin dnat"</color> ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\ | <tab9><color blue> #Allow internal clients to correctly see external address "hairpin dnat"</color> ++ | \\ + <color #202000/#F0F0E0> Hairpin nat is dicussed in greater death at [[https://wiki.kptree.net/doku.php?id=linux_router:nftables#hairpin_nat|hairpin nat]].</color>++\\ |
<tab9> ip saddr <color red>$lan_ip4</color> ip daddr <color red>$http_server</color> tcp dport {http, https} counter snat <color red>$router_ip4</color>\\ | <tab9> ip saddr <color red>$lan_ip4</color> ip daddr <color red>$http_server</color> tcp dport { http, https } counter snat <color red>$router_ip4</color>\\ |
<tab9> ip saddr <color red>$lan_ip4</color> ip daddr <color red>$mail_server</color> tcp dport {http, https, pop3s, imaps, smtp} counter snat <color red>$router_ip4</color>\\ | <tab9> ip saddr <color red>$lan_ip4</color> ip daddr <color red>$mail_server</color> tcp dport { http, https, pop3s, imap2, imaps, smtp, submission, submissions } counter snat <color red>$router_ip4</color>\\ |
<tab9>\\ | <tab9>\\ |
<tab9><color blue> #Standard postrouting nat</color> ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\ | <tab9><color blue> #Standard postrouting nat</color> ++ | \\ + <color #202000/#F0F0E0> The examples below show different levels of granularity in control.</color>++\\ |
++++ | ++++ |
| |
| ++++mail server ports:| |
| * smtp {25} / (smtps) submissions {465} / submission {587} - (My mail server uses smtp / submission on ports 25 / 587 respectivily) |
| * imap {143} / imaps {993} - (My mail server uses starttls on port 143) |
| * pop3 {110} / pop3s {995} - who still uses pop3? |
| ''nft'' translates ports to service namesas defined in /etc/services |
| ++++ |
===Some configuration notes=== | ===Some configuration notes=== |
| |