Arch Linux

uzskynet

Member

Registered: 2025-03-12

Posts: 1

nftables is blocking outgoing HTTP traffic

Hello, colleagues. We have Podman on our server, and Nginx is running in a Podman container. On the host machine, Nginx can only be accessed through port 8080 and the IP address 127.0.0.1 (meaning Nginx is only available on the local host).

curl 127.0.0.1:8080

<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

I wanted to receive requests on the eth1 (192.168.168.100) interface and redirect them to 127.0.0.1:8080, then get a response back from Nginx.

/etc/nftables.conf

table inet mytable {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iif "eth1" tcp dport 80 counter dnat ip to 127.0.0.1:8080
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 127.0.0.1 counter snat ip to 192.168.168.100
	}
}

192.168.168.100:80 -> 127.0.0.1:8080 -> nginx -> 127.0.0.1:8080 -> 192.168.168.100:80 ?

-thc

Member

Registered: 2017-03-15

Posts: 859

Re: nftables is blocking outgoing HTTP traffic

Try only snat'ing 8080 traffic from loopback:

table inet mytable {
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iif "eth1" tcp dport 80 counter dnat ip to 127.0.0.1:8080
	}

	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 127.0.0.1 tcp sport 8080 counter snat ip to 192.168.168.100
	}
}

Last edited by -thc (2025-03-12 08:18:36)