I start learn with nftables as prepare for my new server which act as router. So far so good but now I have big problem with masquarade. I have wrote some basic functional script for two NIC server. Where Lan1 is for wan and Lan2 is for internal network. My goal is let client pc from internal network to internet. DHCP and DNS rules should be work. I attach script and error message. Thank you for any help with my issue.
Working script without masquarade:
Code: Select all
# Nft firewall for 2 nic firewall with internal network for internet acces
flush ruleset
table inet filter {
chain input { # specifakace rozhrani pro rozdeleni
type filter hook input priority 0;
iifname lo accept # vzdy povol loopbcak
iifname enp0s25 jump input_wan # 192.168.3.0/26
iifname enp4s0 jump input_lan # 172.16.1.0/24
reject with icmp type port-unreachable # refuse traffic from all other interfaces
}
chain input_wan { # pravidla pro rozhrani wan
ct state {established,related} accept
ct state invalid drop
ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
reject with icmp type port-unreachable # all other traffic
}
chain input_lan { # pravidla pro rozhrani lan
ct state {established,related} accept
ct state invalid drop
ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept
ip protocol icmp icmp type echo-request log accept
tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
udp dport {domain} accept
tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
counter drop
}
chain ouput { # povoleni vseho ven
type filter hook output priority 0;
tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
udp sport {domain} accept
tcp dport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
udp sport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
accept
}
chain forward {
type filter hook forward priority 0;
}
}
Code: Select all
#!/usr/sbin/nft -f
# Nft firewall for 2 nic firewall with internal network for internet acces
flush ruleset
table inet filter {
chain input { # specifakace rozhrani pro rozdeleni
type filter hook input priority 0;
iifname lo accept # vzdy povol loopbcak
iifname enp0s25 jump input_wan # 192.168.3.0/26
iifname enp4s0 jump input_lan # 172.16.1.0/24
reject with icmp type port-unreachable # refuse traffic from all other interfaces
}
chain input_wan { # pravidla pro rozhrani wan
ct state {established,related} accept
ct state invalid drop
ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
reject with icmp type port-unreachable # all other traffic
}
chain input_lan { # pravidla pro rozhrani lan
ct state {established,related} accept
ct state invalid drop
ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept
ip protocol icmp icmp type echo-request log accept
tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
udp dport {domain} accept
tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
counter drop
}
chain ouput { # we let everything out
type filter hook output priority 0;
tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
udp dport {domain} accept
tcp dport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
udp dport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
accept
}
chain forward {
type filter hook forward priority 0;
drop
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22
}
}
Code: Select all
nftables.2NicFw.sh.v3:46:1-5: Error: syntax error, unexpected table
table ip nat {
^^^^^
nftables.2NicFw.sh.v3:54:52-55: Error: NAT is only supported for IPv4/IPv6
ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22