nftables nat to internal webserver

wulvyrn · 2015-05-12 02:48:36

I'm on wlan0 trying to access a webserver port 80 attached to eth0 on a raspberry pi.
i can ping the webserver(192.168.1.142) from the pi eth0(192.168.1.1).
i'm trying to get nftables setup.

here is my current nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
iif wlan0 tcp dport { https, http} dnat 192.168.1.142
}

chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.1.0/24 oif wlan0 snat 192.168.43.19
}
}
table inet filter {
chain input {
type filter hook input priority 0;
ct state { related, established} accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport ssh accept
reject
}

chain forward {
type filter hook forward priority 0;
drop
}

chain output {
type filter hook output priority 0;
}
}

i'm at a bit of loss as i've looked at a few howto's. if anyone could shed some light on this, thanks.

branch · 2015-05-12 15:34:11

Your question is very unclear. I will repeat back my understanding of your setup, tell us if i have it wrong.
1) webserver(192.168.1.142) <-----> eth0(192.168.1.1) RPi wlan0(192.168.43.19) <-----> webclient(192.168.43.???)
2) the nftables ruleset you gave is the ruleset on the RPi
3) Pinging 192.168.1.142 from the RPi works. Pinging 192.168.43.19 from the webclient works. TCP connection to 192.168.1.142 from the RPi works. TCP connection to 192.168.43.19:80 from the web client does not work but you want this connection request to be forwarded to 192.168.1.142

If the above is what you have:
1) Is IP forwarding turned on in sysctl on the RPi?
2) Does it work if you flush the filter table? If not, get it to work without the filter table first.
3) Your filter table forward chain drops all packets between wlan0 and eth0, so clearly this will not work. You need to allow new connections to 192.168.1.142 on HTTP and HTTPS, and also { related, established } packets from 192.168.1.142 to the 192.168.43.00/24

wulvyrn · 2015-05-12 23:56:46

correct:
1) webserver(192.168.1.142) <-----> eth0(192.168.1.1) RPi wlan0(192.168.43.19) <-----> webclient(192.168.43.0/24)
2) yes the ruleset is what is set on the RPi
3) 192.168.1.1 can ping 192.168.1.142
192.168.43.0/24 clients cannot ping 192.168.1.142
192.168.43.0/24 clients cannot access 192.168.1.142

tcpdump -npi wlan0 port 80 shows traffic
tcpdump -npi eth0 port 80 show no traffic (i.e. it's not being forwarded)

1) how do you set sysctl forwarding?
for temporary i did this command
echo 1 /proc/sys/net/ipv4/ip_forward
2) i did not flush
i did not try it without the filter table as the setting should have processed it before.
i'll try it without the filter table.
3) i'm a bit confused but i'm guessing you are saying to remove the filter table so it doesn't drop packets and it should work

thanks for the reply, sorry if my question was hard to read. i'll post later on my results and setup.

wulvyrn · 2015-05-13 02:09:58

wlan0 is dhcp
eth0 is set as a static ip

router(192.168.43.1) <--> client(192.168.43.111) <--> RPi (192.168.43.23 wlan0) <--> RPi (192.168.1.1eth0) to webserver (192.168.1.142)

cat /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1
net.ipv6.conf.default.forwarding=1
net.ipv6.conf.all.forwarding=1

nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
iif wlan0 tcp dport { http, https} dnat 192.168.1.142
}

chain postrouting {
type nat hook postrouting priority 0;
ip saddr 192.168.1.0/24 oif wlan0 snat 192.168.43.23
}
}

1) tcpdump now shows traffic client --> RPi <--> webserver
traffic is not being forwarded by RPi back to the client
i'm not sure what i'm missing...

branch · 2015-05-13 03:49:54

I don't see anything obviously wrong. What exact command are you testing with? I would use something like the following from 192.168.43.111

nc -z 192.168.43.23 80 || echo failed

Maybe try without the NAT as a sanity check.
1) flush all nft rules
2) set a route on 192.168.43.111 to the 192.168.1.0/24 via 192.168.43.23
3) test with 'nc -z 192.168.1.142 80' from 192.168.43.111
If this fails, the problem is not the NAT; check routing table on the RPi. If it succeeds, try putting log rules at various places in the nft ruleset to see where the packets are getting dropped.

wulvyrn · 2015-05-13 15:32:41

it works if i set forwarding to 0 and then back to 1.

i have a small issue on start up. the above configuration does not start on boot. if i manally type systemctl start nftables, it reads the file and the rules load. then after stopping forwarding and starting i.e. setting to 0 and then setting to 1. it works.

i've also tried some of the other default files and systemctl starts them on bootup but not the unique one I made.

i'm guessing the interfaces are not up when nftables called to start and that's why it's failing .

Last edited by wulvyrn (2015-05-13 15:59:39)

branch · 2015-05-13 16:40:54

If you are configuring these interfaces with networkd then you need to put "IPForward=yes" in the [Network] section of the .network files for eth0 and wlan0, otherwise networkd will override the settings you made in /etc/sysctl.d

wulvyrn · 2015-05-13 16:55:05

echo IPForward=yes >> /etc/netctl/eth0-to-printer
echo IPForward=yes >> /etc/netctl/wlan0-iRoar

on reboot - nftables failed
systemctl restart nftables #started nftables
forwarding did not work with IPForward=yes, i had to manally toggle it to 0 and 1 again for forwarding to start.

branch · 2015-05-13 18:25:06

Ok, if you are using netctl you do not need the IPForward=yes, it is not even valid in a netctl profile.

I didn't catch that nftables was actually failing to start. Try using iifname and oifname in place of iif and oif respectively in your nftables rules. Alternately you could try adding BindsTo= directives to nftables.service to set ordering dependencies on the wlan0 and eth0 interfaces.

wulvyrn · 2015-05-14 14:33:55

changing iff and oif to iifname and oifname did the trick to have nftables start on boot, else the service failed to start.

forwarding does not work unless i toggle it to 0 and then 1.

is there a way to enable forwarding after nftables has started?

branch · 2015-05-14 15:47:01

The best thing would be to figure out why the settings in the /etc/sysctl.d file are not working. Try running

sysctl -a --pattern forward

after a reboot and make sure that all reported keys have the desired value.

If all else fails, you can write a systemd.service file of Type=oneshot that uses sysctl to toggle net.ipv4.ip_forward and order it after nftables.service, but this really should not be necessary.

wulvyrn · 2015-05-15 15:32:53

sysctl -a --pattern forward #after boot up
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 0
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0

sysctl -a --pattern forward #after setting forwarding to 1, no change
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0
net.ipv4.conf.wlan0.forwarding = 1
net.ipv4.conf.wlan0.mc_forwarding = 0
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_use_pmtu = 0
net.ipv6.conf.all.forwarding = 1
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.default.forwarding = 1
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.lo.forwarding = 1
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.wlan0.forwarding = 1
net.ipv6.conf.wlan0.mc_forwarding = 0

could you provide me an example of ip_forward.service?
my attempts are failing getting one to work.

thanks

branch · 2015-05-15 16:26:14

Look more carefully

$ diff after_boot after_toggle
5c5
< net.ipv4.conf.eth0.forwarding = 0
---
> net.ipv4.conf.eth0.forwarding = 1

wulvyrn · 2015-05-15 19:16:58

solution= needed to add one line to the eth0 conf file

cat /etc/sysctl.d/30-ipforward.conf
net.ipv4.ip_forward=1

cat /etc/systemd/network/eth0.network
[Match]
Name=eth0

[Network]
Address=192.168.1.1/24
IPForwarding=yes
IPMasquerade=yes

it then works on boot!

branch · 2015-05-15 20:19:56

Glad you got it working, but that "IPMasquerade=yes" line is highly suspect. My understanding is that systemd.networkd only supports iptables. You should check the output of

sudo iptables-save

to make sure networkd is not activating iptables. You do not want iptables and nftables loaded at the same time.

ps. [SOLVED]?

wulvyrn · 2015-05-15 20:47:49

there is no output from iptables-save

i'm guessing this is SOLVED then?!

Arch Linux

#1 2015-05-12 02:48:36

nftables nat to internal webserver

#2 2015-05-12 15:34:11

Re: nftables nat to internal webserver

#3 2015-05-12 23:56:46

Re: nftables nat to internal webserver

#4 2015-05-13 02:09:58

Re: nftables nat to internal webserver

#5 2015-05-13 03:49:54

Re: nftables nat to internal webserver

#6 2015-05-13 15:32:41

Re: nftables nat to internal webserver

#7 2015-05-13 16:40:54

Re: nftables nat to internal webserver

#8 2015-05-13 16:55:05

Re: nftables nat to internal webserver

#9 2015-05-13 18:25:06

Re: nftables nat to internal webserver

#10 2015-05-14 14:33:55

Re: nftables nat to internal webserver

#11 2015-05-14 15:47:01

Re: nftables nat to internal webserver

#12 2015-05-15 15:32:53

Re: nftables nat to internal webserver

#13 2015-05-15 16:26:14

Re: nftables nat to internal webserver

#14 2015-05-15 19:16:58

Re: nftables nat to internal webserver

#15 2015-05-15 20:19:56

Re: nftables nat to internal webserver

#16 2015-05-15 20:47:49

Re: nftables nat to internal webserver

Board footer