[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter
Subject:    ip6 nat nftables trouble
From:       Frank Carmickle <frank () carmickle ! com>
Date:       2019-04-17 14:41:07
Message-ID: 5D1A0DDB-E47C-4B84-A74F-338184AD1586 () carmickle ! com
[Download RAW message or body]

Greetings,

I've been using nftables for a year now and have been really enjoying it. Thank you \
for it.

I'm having some difficulty with ip6 masquerading which the ip6tables equivalent is \
not having. Here's my config


#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ct state established,related accept
                tcp dport 22 limit rate 3/minute accept
                tcp dport 80 accept
                meta l4proto { icmp, ipv6-icmp, esp, ah } accept
                udp dport {500, 4500} accept
                udp dport 33434-33534 reject
                iifname "lo" accept

        }
        chain forward {
                type filter hook forward priority 0; policy accept;
        }
        chain output {
                type filter hook output priority 0; policy accept;
                oifname "lo" accept
        }
}

table ip6 nat {
        chain prerouting {
                type nat hook prerouting priority 0;
        }

        chain postrouting {
                type nat hook postrouting priority 0;
                        oifname wg0 masquerade
        }
}

When I try to do this with ip6tables it works.

# Generated by xtables-save v1.8.2 on Mon Apr 15 19:26:27 2019
*nat
> PREROUTING ACCEPT [0:0]
> INPUT ACCEPT [0:0]
> POSTROUTING ACCEPT [0:0]
> OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT


I'm trying to use wireguard as a roadworrier  vpn.

Any help is greatly appreciated.

—FC


[prev in list] [next in list] [prev in thread] [next in thread]