nftables 1:1 NAT (ip address to ip address)

By Posted on

QUESTION :

Upgraded to Fedora 32 which uses nftables which I am entirely unfamiliar and after perusing all documentation I could find, I can not figure out how to replicate my 1:1 NAT with nftables which means currently my mail server is unreachable.

I was using these rules with firewalld/iptables.

  <passthrough ipv="ipv4">-t nat -A PREROUTING -i eno1 -d public.ip -j DNAT --to-destination 10.99.99.21</passthrough>
  <passthrough ipv="ipv4">-t nat -A POSTROUTING -s 10.99.99.21 -o eno1 -j SNAT --to public.ip</passthrough>
  <passthrough ipv="ipv6">-t nat -A PREROUTING -i eno1 -d public.ipv6 -j DNAT --to-destination fdb9:b611:5d5d:ffff::21</passthrough>
  <passthrough ipv="ipv6">-t nat -A POSTROUTING -s fdb9:b611:5d5d:ffff::21 -o eno1 -j SNAT --to-source public.ipv6</passthrough>

I have tried this, that does not seem to work:

nft list table nat
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.99.99.21 oif "eno1" snat to public.ip
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eno1" ip daddr public.ip dnat to 10.99.99.21
        }
}

Further information: After further chasing this, it’s the SNAT rule that is not being matched for some reason.

ANSWER :

I’m going to answer my own question as I’ve figured it out after talking with one of the developers of firewalld on github.

Apparently the problem is that both nftables and iptables are employed at the same time.

Quoting:

This makes sense. It's due to the fact that iptables and nftables rules are executed independently inside the kernel/netfilter. So your scenarios are:

    iptables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        firewalld rules are part of iptables, so they're not considered (due to accept)
    nftables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        packet is now subject to firewalld's nftables ruleset, this happens even if the packet is accepted it iptables.
        zone is using "default" target, so packet is dropped in the FORWARD chain
        due to drop POSTROUTING (SNAT) is never reached

There is no fix possible as it's a result of how the kernel works. You can read more about this in the CAVEATS section of man page firewalld.direct.

Source: https://github.com/firewalld/firewalld/issues/708

So the above nftables rules created via iptables-nft alternatives do not work because they still use the iptables kernel code. They just show up on nft.

Detailed explanation regarding nftables and iptables interaction here:
https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables/

Leave a Reply

Your email address will not be published. Required fields are marked *