You are not logged in.
Pages: 1
Topic closed
Hi, I tried to use nft to route the packets coming to my system on port 80 to a python script listening to port 8080, like the command
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
would do.
I tried
nft add table ip nat
nft add chain ip nat prerouting { type nat hook prerouting priority 0 \; }
nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
nft add rule ip nat prerouting redirect
nft add rule ip nat prerouting tcp dport 80 redirect to 8000
which doesn't raise any error, but doesn't work. What could go wrong?
Thanks in advance
You can use the `dnat to` statement, e.g. like this:
tcp dport 80 dnat to
See also the "NAT statements" section in the nft manpage.
Admittedly, I don't really know if the "to" there is necessary—I've got a similar rule in my nftables.conf without it, and it worked fine without it the last time I've used it.
Thanks for your help, I tried this, but now instead of getting a "connection refused" error, I get a "connection timed out".
I think this rule make the incoming packets go to the correct port, but doesn't do anything about the replies. Do you know how I could fix that?
Ah, is it possible that you are trying to access the port from the host itself?
The prerouting and postrouting chains only apply to packets coming from outside or going outside, whereas connections to the loopback interface don't pass through those chains (this is also true for iptables, by the way).
Another thing is to check that the iptable_nat kernel module is not loaded, as it will conflict with nftables (see … ibilities).
Also, apparently I was wrong—`redirect` is also a valid command in nftables. Both variants should work, usually.
Last edited by ayekat (2017-04-26 06:55:24)
No, I tried from another computer on my local network... Although being able to redirect on my own computer too would be nice :)
I checked with "rmmod iptable_nat", this module is not currently loaded. I still don't know what to do...
Thanks anyway for your help!
Last edited by c4ffein (2017-05-02 13:27:53)
Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
How to Ask Questions the Smart Way
Here's a minimal /etc/nftables.conf that should work:
#!/usr/bin/nft -f
table inet filter {
chain input {
type filter hook input priority 0;
# Connection state based:
ct state {established, related} accept
ct state invalid drop
# Allow loopback and ICMP:
iifname lo accept
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Open ports for services:
tcp dport 8080 accept
# Everything else
reject with icmp type port-unreachable
chain forward {
type filter hook forward priority 0;
chain output {
type filter hook output priority 0;
table nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport 80 dnat :8080
chain postrouting {
type nat hook postrouting priority 0;
Otherwise, I'm really out of ideas here...
Sorry, I read the forum rules a long time ago, I totally forgot about the no bumping policy...
Here's a minimal /etc/nftables.conf that should work:
Your last reply helped a lot : changing from
tcp dport 80 dnat to
tcp dport 80 dnat :8000
made it work, thanks!
Apologies for the necro but this is what I found to work (searching returned this thread):
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 80 redirect to 8080
chain postrouting {
type nat hook postrouting priority 0; policy accept;
Last edited by sshaikh (2020-06-26 18:49:59)
Thanks for the contribution. I am going to close this old thread now.
Pages: 1
Topic closed