You are not logged in.

#1 2017-04-22 23:39:36

c4ffein
Member
Registered: 2014-07-07
Posts: 8

How to use Nftables to route port 80 to 8080

Hi, I tried to use nft to route the packets coming to my system on port 80 to a python script listening to port 8080, like the command

iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

would do.
I tried

nft add table ip   nat
nft add chain ip   nat        prerouting  { type nat    hook prerouting  priority   0 \; }
nft add chain ip   nat        postrouting { type nat    hook postrouting priority 100 \; }
nft add rule  ip   nat        prerouting  redirect
nft add rule  ip   nat        prerouting  tcp dport     80 redirect to 8000

which doesn't raise any error, but doesn't work. What could go wrong?
Thanks in advance

Offline

#2 2017-04-23 12:03:29

ayekat
Member
Registered: 2011-01-17
Posts: 1,392
Website

Re: How to use Nftables to route port 80 to 8080

You can use the `dnat to` statement, e.g. like this:

tcp dport 80 dnat to 127.0.0.1:8080

See also the "NAT statements" section in the nft manpage.
Admittedly, I don't really know if the "to" there is necessary—I've got a similar rule in my nftables.conf without it, and it worked fine without it the last time I've used it.


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#3 2017-04-23 21:16:52

c4ffein
Member
Registered: 2014-07-07
Posts: 8

Re: How to use Nftables to route port 80 to 8080

Thanks for your help, I tried this, but now instead of getting a "connection refused" error, I get a "connection timed out".
I think this rule make the incoming packets go to the correct port, but doesn't do anything about the replies. Do you know how I could fix that?

Offline

#4 2017-04-24 08:37:29

ayekat
Member
Registered: 2011-01-17
Posts: 1,392
Website

Re: How to use Nftables to route port 80 to 8080

Ah, is it possible that you are trying to access the port from the host itself?
The prerouting and postrouting chains only apply to packets coming from outside or going outside, whereas connections to the loopback interface don't pass through those chains (this is also true for iptables, by the way).

Another thing is to check that the iptable_nat kernel module is not loaded, as it will conflict with nftables (see http://wiki.nftables.org/wiki-nftables/ … ibilities).

--edit--
Also, apparently I was wrong—`redirect` is also a valid command in nftables. Both variants should work, usually.

Last edited by ayekat (2017-04-26 06:55:24)


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#5 2017-05-02 13:27:09

c4ffein
Member
Registered: 2014-07-07
Posts: 8

Re: How to use Nftables to route port 80 to 8080

No, I tried from another computer on my local network... Although being able to redirect on my own computer too would be nice :)
I checked with "rmmod iptable_nat", this module is not currently loaded. I still don't know what to do...
Thanks anyway for your help!

Last edited by c4ffein (2017-05-02 13:27:53)

Offline

#6 2017-05-11 14:39:33

c4ffein
Member
Registered: 2014-07-07
Posts: 8

Re: How to use Nftables to route port 80 to 8080

Up

Offline

#7 2017-05-11 15:31:21

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 17,426

Re: How to use Nftables to route port 80 to 8080


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#8 2017-05-11 16:35:08

ayekat
Member
Registered: 2011-01-17
Posts: 1,392
Website

Re: How to use Nftables to route port 80 to 8080

Here's a minimal /etc/nftables.conf that should work:

#!/usr/bin/nft -f

table inet filter {
  chain input {
    type filter hook input priority 0;

    # Connection state based:
    ct state {established, related} accept
    ct state invalid drop

    # Allow loopback and ICMP:
    iifname lo accept
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept

    # Open ports for services:
    tcp dport 8080 accept

    # Everything else
    reject with icmp type port-unreachable
  }

  chain forward {
    type filter hook forward priority 0;
  }

  chain output {
    type filter hook output priority 0;
  }
}

table nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    tcp dport 80 dnat :8080
  }
  chain postrouting {
    type nat hook postrouting priority 0;
  }
}

Otherwise, I'm really out of ideas here...


{,META,RE}PKGBUILDSpacman-hacks (includes makemetapkg and remakepkg) │ dotfiles

Offline

#9 2017-05-17 01:19:50

c4ffein
Member
Registered: 2014-07-07
Posts: 8

Re: How to use Nftables to route port 80 to 8080

Sorry, I read the forum rules a long time ago, I totally forgot about the no bumping policy...




ayekat wrote:

Here's a minimal /etc/nftables.conf that should work:

Your last reply helped a lot : changing from

tcp dport 80 dnat to 127.0.0.1:8000

to

tcp dport 80 dnat :8000

made it work, thanks!

Offline

#10 2020-06-26 18:49:29

sshaikh
Member
Registered: 2019-07-03
Posts: 5

Re: How to use Nftables to route port 80 to 8080

Apologies for the necro but this is what I found to work (searching returned this thread):

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                tcp dport 80 redirect to 8080
        }

        chain postrouting {
                type nat hook postrouting priority 0; policy accept;
        }
}

Last edited by sshaikh (2020-06-26 18:49:59)

Offline

#11 2020-06-26 19:04:54

2ManyDogs
Forum Moderator
Registered: 2012-01-15
Posts: 3,342

Re: How to use Nftables to route port 80 to 8080

Thanks for the contribution. I am going to close this old thread now.

Offline

Board footer

Powered by FluxBB