Debian 9 nftables

If none of the more specific forums is the right place to ask

Debian 9 nftables

Postby corsairetc » 2017-08-31 04:44

Hello experts,
I start learn with nftables as prepare for my new server which act as router. So far so good but now I have big problem with masquarade. I have wrote some basic functional script for two NIC server. Where Lan1 is for wan and Lan2 is for internal network. My goal is let client pc from internal network to internet. DHCP and DNS rules should be work. I attach script and error message. Thank you for any help with my issue.
Working script without masquarade:
Code: Select all
# Nft firewall for 2 nic firewall with internal network for internet acces

flush ruleset

table inet filter {
  chain input { # specifakace rozhrani pro rozdeleni
    type filter hook input priority 0;

    iifname lo accept # vzdy povol loopbcak
    iifname enp0s25 jump input_wan # 192.168.3.0/26
    iifname enp4s0 jump input_lan # 172.16.1.0/24

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
  }
  chain input_wan { # pravidla pro rozhrani wan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain input_lan { # pravidla pro rozhrani lan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept
    ip protocol icmp icmp type echo-request log accept
    tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    counter drop
  }
  chain ouput { # povoleni vseho ven
    type filter hook output priority 0;
    tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
    udp sport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP output  pozadavek:" accept # povoleni DHCP replies pozadavku
    udp sport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
    accept
  }
  chain forward {
  type filter hook forward priority 0;
 }
}


According to nftables wiki I add SNAT to this script.
Code: Select all
#!/usr/sbin/nft -f
# Nft firewall for 2 nic firewall with internal network for internet acces

flush ruleset

table inet filter {
  chain input { # specifakace rozhrani pro rozdeleni
    type filter hook input priority 0;

    iifname lo accept # vzdy povol loopbcak
    iifname enp0s25 jump input_wan # 192.168.3.0/26
    iifname enp4s0 jump input_lan # 172.16.1.0/24

    reject with icmp type port-unreachable # refuse traffic from all other interfaces
  }
  chain input_wan { # pravidla pro rozhrani wan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {192.168.3.0/26} tcp dport { 22 } log prefix "Wan SSH pripojeni:" accept
    reject with icmp type port-unreachable # all other traffic
  }
  chain input_lan { # pravidla pro rozhrani lan
    ct state {established,related} accept
    ct state invalid drop
    ip saddr {172.16.1.0/24} tcp dport {22} log prefix "Lan SSH pripojeni:" accept
    ip protocol icmp icmp type echo-request log accept
    tcp dport {domain} log prefix "DNS input pozadavek:" accept # Povoleni DNS pro interni DHCP LAN
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    udp dport {bootpc,bootps} log prefix "DHCP input pozadavek:" accept # povoleni DHCP z interni site
    counter drop
  }
  chain ouput { # we let everything out
    type filter hook output priority 0;
    tcp dport {domain} log prefix "DNS output pozadavek:" accept # Povoleni DNS pro interni site
    udp dport {domain} accept
    tcp dport {bootpc,bootps} log prefix "DHCP output  pozadavek:" accept # povoleni DHCP replies pozadavku
    udp dport {bootpc,bootps} log prefix "DHCP output pozadavek:" accept # povoleni DHCP replies pozadavku
    accept
  }
  chain forward {
  type filter hook forward priority 0;
  drop
}
# NAT
table ip nat {
   chain prerouting {
      type nat hook prerouting priority 0; policy accept;
   }

   # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
   chain postrouting {
      type nat hook postrouting priority 100; policy accept;
      ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22
  }
 }

When I try to loaded I get this error.
Code: Select all
nftables.2NicFw.sh.v3:46:1-5: Error: syntax error, unexpected table
table ip nat {
^^^^^
nftables.2NicFw.sh.v3:54:52-55: Error: NAT is only supported for IPv4/IPv6
      ip saddr 172.16.1.0/24 oif enp0s25 snat 192.168.3.22
corsairetc
 
Posts: 66
Joined: 2014-11-14 05:30

Return to General Questions

Who is online

Users browsing this forum: No registered users and 10 guests

fashionable