Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Debian 9 nftables

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
corsairetc
Posts: 73
Joined: 2014-11-14 05:30

Debian 9 nftables

#1 Post by corsairetc »

Hello experts,
I start learn with nftables as prepare for my new server which act as router. So far so good but now I have big problem with masquarade. I have wrote some basic functional script for two NIC server. Where Lan1 is for wan and Lan2 is for internal network. My goal is let client pc from internal network to internet. DHCP and DNS rules should be work. I attach script and error message. Thank you for any help with my issue.
Working script without masquarade:

Code: Select all

# Nft firewall for 2 nic firewall with internal network for internet acces

flush ruleset

table inet filter {
  chain input { # specifakace rozhrani pro rozdeleni
    type filter hook input priority 0;

    iifname lo accept # vzdy povol loopbcak
    iifname enp0s25 jump input_wan # 192.168.3.0/26
    iifname enp4s0 jump input_lan # 172.16.1.0/24

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
  }
  chain input_wan { # pravidla pro rozhrani wan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain input_lan { # pravidla pro rozhrani lan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept 
    ip protocol icmp icmp type echo-request log accept
    tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    counter drop
  }
  chain ouput { # povoleni vseho ven
    type filter hook output priority 0;
    tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
    udp sport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP output  pozadavek:" accept # povoleni DHCP replies pozadavku
    udp sport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
    accept
  }
  chain forward { 
  type filter hook forward priority 0;
 }
}
According to nftables wiki I add SNAT to this script.

Code: Select all

#!/usr/sbin/nft -f
# Nft firewall for 2 nic firewall with internal network for internet acces

flush ruleset

table inet filter {
  chain input { # specifakace rozhrani pro rozdeleni
    type filter hook input priority 0;

    iifname lo accept # vzdy povol loopbcak
    iifname enp0s25 jump input_wan # 192.168.3.0/26
    iifname enp4s0 jump input_lan # 172.16.1.0/24

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
  }
  chain input_wan { # pravidla pro rozhrani wan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain input_lan { # pravidla pro rozhrani lan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept 
    ip protocol icmp icmp type echo-request log accept
    tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    counter drop
  }
  chain ouput { # we let everything out
    type filter hook output priority 0;
    tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP output  pozadavek:" accept # povoleni DHCP replies pozadavku
    udp dport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
    accept
  }
  chain forward { 
  type filter hook forward priority 0;
  drop
}
# NAT
table ip nat {
	chain prerouting {
		type nat hook prerouting priority 0; policy accept;
	}

	# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
	chain postrouting {
		type nat hook postrouting priority 100; policy accept;
		ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22
  }
 }
When I try to loaded I get this error.

Code: Select all

nftables.2NicFw.sh.v3:46:1-5: Error: syntax error, unexpected table
table ip nat {
^^^^^
nftables.2NicFw.sh.v3:54:52-55: Error: NAT is only supported for IPv4/IPv6
		ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22

Post Reply