You are not logged in.

Pages: 1

#1 2022-02-27 16:56:45

AlphaJack
Member
Registered: 2019-05-23
Posts: 8

[SOLVED] Cannot redirect ports with nftables

According to

- https://bbs.archlinux.org/viewtopic.php?id=225429

either

table ip nat {
 chain prerouting {
  type nat hook prerouting priority 0
  policy accept
  tcp dport 80 dnat :8080
 }
 chain postrouting {
  type nat hook postrouting priority 0
  policy drop
 }
}

or

table ip nat {
 chain prerouting {
  type nat hook prerouting priority 0
  policy accept
  tcp dport 80 redirect to 8080
 }
 chain postrouting {
  type nat hook postrouting priority 0
  policy drop
 }
}

should work to redirect external port 80 to 8080.

However, what I get is:

Feb 27 17:52:50 host systemd[1]: Starting Netfilter Tables...
Feb 27 17:52:50 host nft[576045]: /etc/nftables.conf:49:16-19: Error: Could not process rule: No such file or directory
Feb 27 17:52:50 host nft[576045]:   tcp dport 80 dnat :8080
Feb 27 17:52:50 host nft[576045]:                ^^^^
Feb 27 17:52:50 host systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 17:52:50 host systemd[1]: nftables.service: Failed with result 'exit-code'.
Feb 27 17:52:50 host systemd[1]: Failed to start Netfilter Tables.

or

Feb 27 17:50:51 host systemd[1]: Starting Netfilter Tables...
Feb 27 17:50:51 host nft[575613]: /etc/nftables.conf:49:16-23: Error: Could not process rule: No such file or directory
Feb 27 17:50:51 host nft[575613]:   tcp dport 80 redirect to 8080
Feb 27 17:50:51 host nft[575613]:                ^^^^^^^^
Feb 27 17:50:51 host systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Feb 27 17:50:51 host systemd[1]: nftables.service: Failed with result 'exit-code'.
Feb 27 17:50:51 host systemd[1]: Failed to start Netfilter Tables.

The redirect has been compiled as a kernel module but it's not disabled. 
What is causing this issue? Chains are of type nat as upstream documentation requires.

Last edited by AlphaJack (2022-03-05 15:52:58)

Offline

#2 2022-02-27 17:18:25

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: [SOLVED] Cannot redirect ports with nftables

Try

table ip nat {
 chain prerouting {
  type nat hook prerouting priority dstnat; policy accept;
  tcp dport 80 redirect to 8080
 }
 chain postrouting {
  type nat hook postrouting priority srcnat; policy accept;
 }
}

Last edited by -thc (2022-02-27 17:22:00)

Offline

#3 2022-02-27 18:53:37

AlphaJack
Member
Registered: 2019-05-23
Posts: 8

Re: [SOLVED] Cannot redirect ports with nftables

Feb 27 19:48:26 host systemd[1]: Starting Netfilter Tables...                                                                                                                                                   
Feb 27 19:48:26 host nft[609919]: /etc/nftables.conf:41:10-12: Error: No such file or directory; did you mean table ‘filter’ in family inet?                                                                    
Feb 27 19:48:26 host nft[609919]: table ip nat {                                                                                                                                                                
Feb 27 19:48:26 host nft[609919]:          ^^^                                                                                                                                                                  
Feb 27 19:48:26 host systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE                                                                                                           
Feb 27 19:48:26 host systemd[1]: nftables.service: Failed with result 'exit-code'.                                                                                                                              
Feb 27 19:48:26 host systemd[1]: Failed to start Netfilter Tables.

Same error if I add the chains to the `table inet filter {}` I already have

Offline

#4 2022-02-27 19:38:48

-thc
Member
Registered: 2017-03-15
Posts: 775

Re: [SOLVED] Cannot redirect ports with nftables

You can not add "nat" chains to a "filter" table. "prerouting" and "postrouting" are not valid for the "filter" table.

nftables wiki wrote:

Note that: redirect only makes sense in prerouting and output chains of NAT type.

I have tested this rule set in a virtual Arch box  - it's loaded and activated without error.

Please post your non-redacted "nftables.conf" file.

Last edited by -thc (2022-02-27 20:52:00)

Offline

#5 2022-02-27 20:29:08

Tarqi
Member
From: Ixtlan
Registered: 2012-11-27
Posts: 179
Website

Re: [SOLVED] Cannot redirect ports with nftables

-thc wrote:

You can not add "nat" chains to a "filter" table. "prerouting" and "postrouting" are not valid for the "filter" table.

This is obviously wrong. For the main problem, see the nftables wiki.

Knowing others is wisdom, knowing yourself is enlightenment. ~Lao Tse

Offline

#6 2022-03-05 15:52:16

AlphaJack
Member
Registered: 2019-05-23
Posts: 8

Re: [SOLVED] Cannot redirect ports with nftables

I got it working on x86_64, but not on aarch64. I'll better ask on the ARM forum directly.

Offline

Pages: 1

Board footer

Powered by FluxBB