# nftable router first step (SOLVED)

## 59729

so my health is below shit, im one of those what doctors call tinfoil MSIDS lymies that got help to late but it's getting better with alot of treatment. It took me 6months (alot of hours, producing nothing) but one good day yesterday and 10min's work got it installed, setup and found out that iptable_nat and nft_nat doens't play together, added a ruleset and I feel like shit again so not to drop the ball and get finished sometime.. I would really like some input on below

1. MASQ chain  + ipv4_forward should be enough to get some NAT up and running (internal computers working/outside world)?

2. When 1 works, policy DROP on filter chain and related, establed + ACCEPT on  any servers i might need to access from the outside world would do it as a safe working firewall right?

Thanks

```

nuc netfilter # ls

nf_nat_redirect.ko  nf_tables_netdev.ko  nft_ct.ko      nft_limit.ko  nft_meta.ko    nft_redir.ko        xt_addrtype.ko

nf_tables_inet.ko   nft_compat.ko        nft_exthdr.ko  nft_log.ko    nft_nat.ko     nft_reject_inet.ko

nf_tables.ko        nft_counter.ko       nft_hash.ko    nft_masq.ko   nft_rbtree.ko  nft_reject.ko

nuc netfilter # lsmod | grep nf_tables

nf_tables_ipv4          2125  0

nf_tables              51472  2 nf_tables_ipv4,nft_masq

# /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.ip_dynaddr = 1

# im guessing rp_filter is iptables and should later be removed?

net.ipv4.conf.default.rp_filter = 1

net.ipv4.conf.all.rp_filter = 1

nuc netfilter # nft list ruleset

table ip nat {

        chain postrouting {

                type nat hook postrouting priority 100; policy accept;

                masquerade

                masquerade random,persistent

        }

        chain prerouting {

                type nat hook prerouting priority 0; policy accept;

        }

}

table ip filter {

        chain input {

                ct state established,related accept

        }

}

```

Last edited by 59729 on Tue Nov 08, 2016 11:26 am; edited 1 time in total

----------

## Ant P.

I haven't got NAT on my main router yet, but I do have the firewall part set up, hope this is useful as an example.

```
#!/sbin/nft -f

# vim: ft=conf

flush ruleset

table inet filter {

    chain input {

        type filter hook input priority 0

        policy drop

        meta iif lo accept

        # some ICMP stuff is required, not sure what so just allow everything

        ip protocol icmp accept

        ip6 nexthdr icmpv6 accept

        # Always allow multicast traffic

        ip daddr 224.0.0.0/8 accept

        ip6 daddr ff00::/8 accept

        # Port whitelists for services

        ip saddr { 192.168.0.0/16

                 , 0.0.0.0

                 } jump lan-services

        ip6 saddr f000::/4 jump lan-services

        jump public-services

        # Standard conntrack stateful firewall thing

        ct state related,established accept

        # catch-all-unhandled line; uncomment for debugging

        counter #log level debug prefix "firewall: "

    }

    chain lan-services {

        # let broadcast traffic through

        ip daddr & 0xFF == 0xFF accept

        tcp dport { distcc

                  , domain

                  , http

                  , nfs,rpcbind

                  , postgresql

                  , ripd,zebra

                  , ssh

                  , 5001,8080 # ipfs http

                  } accept

        udp dport { bootps

                  , domain

                  , mdns

                  , nfs,rpcbind

                  , ntp

                  , routed

                  } accept

    }

    chain public-services {

        tcp dport { https

                  , imap

                  , smtp

                  , 4001 # ipfs p2p

                  } accept

        udp dport { 10666 } accept # game server stuff

    }

}

```

----------

## 59729

It is very helpful, thank you.

won't the jump lan or public services, miss the log level at the bottom?

really nice to be able to use service name

----------

## Ant P.

Nope, a jump to a chain that doesn't explicitly accept or drop the packet will just return and continue on the next line; it behaves a lot like a bash script where you're looking for an exit 0 or exit 1.

----------

## 59729

Aha  :Smile: 

it still won't work though

In my mind i only need the first rule , though the wiki also states i need a prerouting chain, it doesn't define any content for it

https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)

 *Quote:*   

> 
> 
> NAT flags
> 
> Since Linux kernel 3.18, you can combine the following flags with your NAT statements:
> ...

 

So this should work   :Shocked:   :Confused:   :Question: 

```
table ip nat {

        chain postrouting {

                type nat hook postrouting priority 100; policy accept;

                masquerade random,persistent

        }

        chain prerouting {

                type nat hook prerouting priority 0; policy accept;

        }

}

table inet filter {

        chain input {

                type filter hook input priority 0; policy accept;

                iif lo accept

                ip protocol icmp accept

                ct state established,related accept

                counter packets 0 bytes 0

        }

        chain lan-services {

        }

        chain public-services {

        }

}

```

EDIT : It might be this problem, guess I have to recompile the kernel

```
rmmod: ERROR: Module iptable_nat is builtin.
```

----------

## 59729

EDIT solved, the inet table requires both ip4 and ip6 i removed ip6 support while recompiling. Added a table called ip instead and now it works  :Smile: 

*sigh*

So NAT/MASQ works now if rmmod iptable_nat but nothing else removed something that i shouldn't have

Error: Could not process rule: Address family not supported by protocol

table inet filter {

^^^

```

Module                  Size  Used by

nft_masq_ipv4           1325  0

nft_masq                1503  1 nft_masq_ipv4

nft_chain_nat_ipv4      1571  0

nf_tables_ipv4          2125  0

nf_tables              56247  4 nft_masq_ipv4,nf_tables_ipv4,nft_chain_nat_ipv4,nft_masq

cfg80211              196462  0

xt_conntrack            3345  2

iptable_filter          1891  1

iptable_mangle          1803  0

ipt_MASQUERADE          1317  1

nf_nat_masquerade_ipv4     2005  2 nft_masq_ipv4,ipt_MASQUERADE

xt_nat                  2129  1

iptable_nat             2103  1

nf_conntrack_ipv4       7588  3

nf_defrag_ipv4          1523  1 nf_conntrack_ipv4

nf_nat_ipv4             4789  2 nft_chain_nat_ipv4,iptable_nat

nf_nat                 11680  3 nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4

nf_conntrack           50579  5 nf_nat,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4

ip_tables              17815  3 iptable_filter,iptable_mangle,iptable_nat

```

----------

