en:bpi-r2:network:nftables
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
en:bpi-r2:network:nftables [2020/01/11 15:51] – frank | en:bpi-r2:network:nftables [2023/09/10 16:40] (current) – [NFTables] frank | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== NFTables ====== | ||
+ | Example from eric with combined ipv4+ipv6 (latter untested): https:// | ||
+ | |||
+ | forwarding: https:// | ||
+ | |||
+ | < | ||
+ | apt install nftables | ||
+ | echo 1 > / | ||
+ | |||
+ | nft list ruleset | ||
+ | nft add table nat | ||
+ | nft add chain ip nat prerouting { type nat hook prerouting priority 100 \; } | ||
+ | nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; } | ||
+ | nft add rule nat postrouting masquerade | ||
+ | |||
+ | # | ||
+ | nft add rule nat prerouting iif lan1 tcp dport 443 dnat 192.168.0.10: | ||
+ | </ | ||
+ | |||
+ | named priorities (> | ||
+ | ===== links ===== | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== hwnat ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ipv6 mangle does not support hnat (connection reset!) | ||
+ | |||
+ | to get hwnat working, a newer version of nftables is needed than available in debian buster | ||
+ | |||
+ | https:// | ||
+ | |||
+ | compiled: https:// | ||
+ | |||
+ | basic IPv4 Ruleset: | ||
+ | < | ||
+ | flush ruleset | ||
+ | table ip filter { | ||
+ | flowtable f { | ||
+ | hook ingress priority filter + 1 | ||
+ | devices = { lan3, lan0, wan } | ||
+ | flags offload; | ||
+ | } | ||
+ | chain input { | ||
+ | type filter hook input priority filter; policy accept; | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority filter; policy accept; | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority filter; policy accept; | ||
+ | ip protocol { tcp, udp } flow add @f | ||
+ | } | ||
+ | } | ||
+ | table ip nat { | ||
+ | chain post { | ||
+ | type nat hook postrouting priority filter; policy accept; | ||
+ | oifname " | ||
+ | } | ||
+ | |||
+ | chain pre { | ||
+ | type nat hook prerouting priority filter; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | basic v6 Ruleset (hw-nat for IPv6 not supported): | ||
+ | |||
+ | < | ||
+ | flush ruleset | ||
+ | table ip6 filter { | ||
+ | flowtable f { | ||
+ | hook ingress priority 1 | ||
+ | devices = { lan3, lan0, wan } | ||
+ | flags offload; | ||
+ | } | ||
+ | chain input { | ||
+ | type filter hook input priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority 0; policy accept; | ||
+ | # ip6 nexthdr { tcp, udp } flow add @f | ||
+ | } | ||
+ | } | ||
+ | table ip6 nat { | ||
+ | chain post { | ||
+ | type nat hook postrouting priority 0; policy accept; | ||
+ | #oifname " | ||
+ | } | ||
+ | |||
+ | chain pre { | ||
+ | type nat hook prerouting priority 0; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | test it: | ||
+ | |||
+ | nft -f nft-nat-flowoffload.nft | ||
+ | #generate traffic from client e.g. iperf3 | ||
+ | cat / | ||
+ | |||
+ | IPV6-Setup | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | #on main-router: | ||
+ | #ip -6 route add fd00: | ||
+ | #ip -6 route add 2001: | ||
+ | |||
+ | ip -6 addr add fd00: | ||
+ | ip -6 addr add fd00: | ||
+ | |||
+ | ip -6 addr add 2001: | ||
+ | ip -6 addr add 2001: | ||
+ | |||
+ | sysctl -w net.ipv6.conf.all.forwarding=1 | ||
+ | </ |