Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nftable router first step (SOLVED)
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Sun Nov 06, 2016 10:47 am    Post subject: nftable router first step (SOLVED) Reply with quote

so my health is below shit, im one of those what doctors call tinfoil MSIDS lymies that got help to late but it's getting better with alot of treatment. It took me 6months (alot of hours, producing nothing) but one good day yesterday and 10min's work got it installed, setup and found out that iptable_nat and nft_nat doens't play together, added a ruleset and I feel like shit again so not to drop the ball and get finished sometime.. I would really like some input on below

1. MASQ chain + ipv4_forward should be enough to get some NAT up and running (internal computers working/outside world)?
2. When 1 works, policy DROP on filter chain and related, establed + ACCEPT on any servers i might need to access from the outside world would do it as a safe working firewall right?

Thanks

Code:

nuc netfilter # ls
nf_nat_redirect.ko  nf_tables_netdev.ko  nft_ct.ko      nft_limit.ko  nft_meta.ko    nft_redir.ko        xt_addrtype.ko
nf_tables_inet.ko   nft_compat.ko        nft_exthdr.ko  nft_log.ko    nft_nat.ko     nft_reject_inet.ko
nf_tables.ko        nft_counter.ko       nft_hash.ko    nft_masq.ko   nft_rbtree.ko  nft_reject.ko

nuc netfilter # lsmod | grep nf_tables
nf_tables_ipv4          2125  0
nf_tables              51472  2 nf_tables_ipv4,nft_masq

# /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_dynaddr = 1
# im guessing rp_filter is iptables and should later be removed?
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1


nuc netfilter # nft list ruleset
table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                masquerade
                masquerade random,persistent
        }

        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }
}
table ip filter {
        chain input {
                ct state established,related accept
        }
}



Last edited by 59729 on Tue Nov 08, 2016 11:26 am; edited 1 time in total
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Mon Nov 07, 2016 2:07 am    Post subject: Reply with quote

I haven't got NAT on my main router yet, but I do have the firewall part set up, hope this is useful as an example.

/etc/local.d/firewall.start:
#!/sbin/nft -f
# vim: ft=conf
flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0
        policy drop

        meta iif lo accept

        # some ICMP stuff is required, not sure what so just allow everything
        ip protocol icmp accept
        ip6 nexthdr icmpv6 accept

        # Always allow multicast traffic
        ip daddr 224.0.0.0/8 accept
        ip6 daddr ff00::/8 accept

        # Port whitelists for services
        ip saddr { 192.168.0.0/16
                 , 0.0.0.0
                 } jump lan-services
        ip6 saddr f000::/4 jump lan-services
        jump public-services

        # Standard conntrack stateful firewall thing
        ct state related,established accept

        # catch-all-unhandled line; uncomment for debugging
        counter #log level debug prefix "firewall: "
    }

    chain lan-services {
        # let broadcast traffic through
        ip daddr & 0xFF == 0xFF accept

        tcp dport { distcc
                  , domain
                  , http
                  , nfs,rpcbind
                  , postgresql
                  , ripd,zebra
                  , ssh
                  , 5001,8080 # ipfs http
                  } accept

        udp dport { bootps
                  , domain
                  , mdns
                  , nfs,rpcbind
                  , ntp
                  , routed
                  } accept
    }

    chain public-services {
        tcp dport { https
                  , imap
                  , smtp
                  , 4001 # ipfs p2p
                  } accept

        udp dport { 10666 } accept # game server stuff
    }
}
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Mon Nov 07, 2016 9:19 am    Post subject: Reply with quote

It is very helpful, thank you.
won't the jump lan or public services, miss the log level at the bottom?
really nice to be able to use service name
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 5592

PostPosted: Mon Nov 07, 2016 7:55 pm    Post subject: Reply with quote

Nope, a jump to a chain that doesn't explicitly accept or drop the packet will just return and continue on the next line; it behaves a lot like a bash script where you're looking for an exit 0 or exit 1.
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Mon Nov 07, 2016 9:25 pm    Post subject: Reply with quote

Aha :)

it still won't work though


In my mind i only need the first rule , though the wiki also states i need a prerouting chain, it doesn't define any content for it
https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)
Quote:

NAT flags

Since Linux kernel 3.18, you can combine the following flags with your NAT statements:
random: randomize[/code] source port mapping.
fully-random: full port randomization.
persistent: gives a client the same source-/destination-address for each connection.
For example:
% nft add rule nat postrouting masquerade random,persistent
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4 fully-random


So this should work 8O :? :?:
Code:
table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                masquerade random,persistent
        }

        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                iif lo accept
                ip protocol icmp accept
                ct state established,related accept
                counter packets 0 bytes 0
        }

        chain lan-services {
        }

        chain public-services {
        }
}


EDIT : It might be this problem, guess I have to recompile the kernel
Code:
rmmod: ERROR: Module iptable_nat is builtin.
Back to top
View user's profile Send private message
59729
Apprentice
Apprentice


Joined: 21 Jun 2004
Posts: 279

PostPosted: Tue Nov 08, 2016 8:27 am    Post subject: Reply with quote

EDIT solved, the inet table requires both ip4 and ip6 i removed ip6 support while recompiling. Added a table called ip instead and now it works :)

*sigh*

So NAT/MASQ works now if rmmod iptable_nat but nothing else removed something that i shouldn't have

Error: Could not process rule: Address family not supported by protocol
table inet filter {
^^^

Code:

Module                  Size  Used by
nft_masq_ipv4           1325  0
nft_masq                1503  1 nft_masq_ipv4
nft_chain_nat_ipv4      1571  0
nf_tables_ipv4          2125  0
nf_tables              56247  4 nft_masq_ipv4,nf_tables_ipv4,nft_chain_nat_ipv4,nft_masq
cfg80211              196462  0
xt_conntrack            3345  2
iptable_filter          1891  1
iptable_mangle          1803  0
ipt_MASQUERADE          1317  1
nf_nat_masquerade_ipv4     2005  2 nft_masq_ipv4,ipt_MASQUERADE
xt_nat                  2129  1
iptable_nat             2103  1
nf_conntrack_ipv4       7588  3
nf_defrag_ipv4          1523  1 nf_conntrack_ipv4
nf_nat_ipv4             4789  2 nft_chain_nat_ipv4,iptable_nat
nf_nat                 11680  3 nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4
nf_conntrack           50579  5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4
ip_tables              17815  3 iptable_filter,iptable_mangle,iptable_nat
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum