我有一个 Debian 系统作为网关。我的 nftables.conf 非常简单:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "enp5s0" masquerade
}
}
现在,我想修改它以将来自互联网的传入流量重定向到端口 80 到 192.168.1.3 主机。
我尝试添加tcp dport 80 dnat to 192.168.1.3链nat:prerouting,但它也会重定向传出流量。添加iffname "enp5s0"似乎根本不起作用。即这个:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname enp5s0 tcp dport 80 dnat to 192.168.1.3
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
#oifname "enp5s0" masquerade
masquerade
}
}
知道什么是正确的方法吗?谷歌搜索并没有多大帮助
谢谢!
答案1
重定向输入流量WAN是一种方法,但您还需要NAT传出流量,但仅限于数据包转发到的主机。
因此,您需要saddr在后路由链中指定源地址,以便它仅适用于该主机:
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname enp5s0 tcp dport 80 dnat to 192.168.1.3
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
# This will SNAT only that host but not outgoing traffic from localhost
ip saddr 192.168.1.3 masquerade
}
}
奖金:
您的预路由链应该具有dstnat优先级,filter因此:
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
iifname enp5s0 tcp dport 80 dnat to 192.168.1.3
请记住,您的配置还缺少forward您可能想要配置的链。