[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: ip6 nat nftables trouble
From: Frank Carmickle <frank () carmickle ! com>
Date: 2019-04-17 14:41:07
Message-ID: 5D1A0DDB-E47C-4B84-A74F-338184AD1586 () carmickle ! com
[Download RAW message or body]
Greetings,
I've been using nftables for a year now and have been really enjoying it. Thank you \
for it.
I'm having some difficulty with ip6 masquerading which the ip6tables equivalent is \
not having. Here's my config
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
tcp dport 22 limit rate 3/minute accept
tcp dport 80 accept
meta l4proto { icmp, ipv6-icmp, esp, ah } accept
udp dport {500, 4500} accept
udp dport 33434-33534 reject
iifname "lo" accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
oifname "lo" accept
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
oifname wg0 masquerade
}
}
When I try to do this with ip6tables it works.
# Generated by xtables-save v1.8.2 on Mon Apr 15 19:26:27 2019
*nat
> PREROUTING ACCEPT [0:0]
> INPUT ACCEPT [0:0]
> POSTROUTING ACCEPT [0:0]
> OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
I'm trying to use wireguard as a roadworrier vpn.
Any help is greatly appreciated.
—FC
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic