NFTables: redirect HTTP on bridge

Kernels & Hardware, configuring network, installing services

NFTables: redirect HTTP on bridge

Postby BobZ » 2021-02-17 03:23

I'm trying to redirect HTTP traffic in a bridge environment under Debian.

This is my network

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever

2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:f1:c5:31 brd ff:ff:ff:ff:ff:ff inet 10.11.12.42/24 brd 10.11.12.255 scope global enp0s3 valid_lft forever preferred_lft forever

3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether 08:00:27:8f:fd:53 brd ff:ff:ff:ff:ff:ff

4: enp0s9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000 link/ether 08:00:27:ae:21:b9 brd ff:ff:ff:ff:ff:ff

6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 08:00:27:8f:fd:53 brd ff:ff:ff:ff:ff:ff inet 10.11.18.42/24 brd 10.11.18.255 scope global br0 valid_lft forever preferred_lft forever

enp0s3 is the management link, enp0s9 is the LAN and enp0s8 the WAN.

My /etc/nftables.conf contains the following

table bridge BRIDGE {
chain prenotloggedin {
meta pkttype set host ether daddr set 08:00:27:8f:fd:53 #dest=br0 & enp0s8
log prefix "Bridge-pre not logged in: "
accept
}
chain pre {
type filter hook prerouting priority 1;
log prefix "Bridge-pre: "
tcp dport { 80 } goto prenotloggedin
accept
}
}

I have an HTTP server listening on port 80

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN

In dmesg output see

[96140.817692] Bridge-pre: IN=enp0s9 OUT= MAC=34:e8:94:62:f0:0e:08:00:27:99:15:e3:08:00 SRC=10.11.12.57 DST=192.229.232.240 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30844 DF PROTO=TCP SPT=51036 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

[96140.828261] Bridge-pre not logged in: IN=enp0s9 OUT= MAC=08:00:27:8f:fd:53:08:00:27:99:15:e3:08:00 SRC=10.11.12.57 DST=192.229.232.240 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=30844 DF PROTO=TCP SPT=51036 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

but the HTTP request does not get to my HTTP server.

10.11.12.57 is the LAN client. I'm wondering if I need to change the destination IP address!

Can anyone help please?
BobZ
 
Posts: 1
Joined: 2021-02-17 03:20

Re: NFTables: redirect HTTP on bridge

Postby p.H » 2021-02-17 10:45

Make an educated guess. What happens if a host receives an IP packet with a destination address which is not one of its own ?
p.H
 
Posts: 1674
Joined: 2017-09-17 07:12


Return to System configuration

Who is online

Users browsing this forum: No registered users and 11 guests

fashionable