nftables 1:1 NAT(IP 地址到 IP 地址)

tag-icon tag-icon linux networking iptables nat nftables
nftables 1:1 NAT(IP 地址到 IP 地址)

升级到 Fedora 32 后,它使用了我完全不熟悉的 nftables,在仔细阅读了我能找到的所有文档后,我仍然无法弄清楚如何使用 nftables 复制我的 1:1 NAT,这意味着目前我的邮件服务器无法访问。

我正在使用firewalld/iptables 中的这些规则。

  <passthrough ipv="ipv4">-t nat -A PREROUTING -i eno1 -d public.ip -j DNAT --to-destination 10.99.99.21</passthrough>
  <passthrough ipv="ipv4">-t nat -A POSTROUTING -s 10.99.99.21 -o eno1 -j SNAT --to public.ip</passthrough>
  <passthrough ipv="ipv6">-t nat -A PREROUTING -i eno1 -d public.ipv6 -j DNAT --to-destination fdb9:b611:5d5d:ffff::21</passthrough>
  <passthrough ipv="ipv6">-t nat -A POSTROUTING -s fdb9:b611:5d5d:ffff::21 -o eno1 -j SNAT --to-source public.ipv6</passthrough>

我尝试过这个,但似乎不起作用:

nft list table nat
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.99.99.21 oif "eno1" snat to public.ip
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eno1" ip daddr public.ip dnat to 10.99.99.21
        }
}

更多信息:经过进一步追踪,发现是 SNAT 规则由于某种原因未匹配。

答案1

我将回答我自己的问题,因为我在与 github 上的一位firewalld 开发人员交谈后已经找到答案了。

显然问题在于 nftables 和 iptables 同时被使用。

引用:

This makes sense. It's due to the fact that iptables and nftables rules are executed independently inside the kernel/netfilter. So your scenarios are:

    iptables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        firewalld rules are part of iptables, so they're not considered (due to accept)
    nftables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        packet is now subject to firewalld's nftables ruleset, this happens even if the packet is accepted it iptables.
        zone is using "default" target, so packet is dropped in the FORWARD chain
        due to drop POSTROUTING (SNAT) is never reached

There is no fix possible as it's a result of how the kernel works. You can read more about this in the CAVEATS section of man page firewalld.direct.

来源:https://github.com/firewalld/firewalld/issues/708

因此,通过 iptables-nft 替代方案创建的上述 nftables 规则不起作用,因为它们仍然使用 iptables 内核代码。它们只是出现在 nft 上。

关于 nftables 和 iptables 交互的详细解释在这里: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables/

相关内容