nftables 1:1 NAT(IP 位址到 IP 位址)

tag-icon tag-icon linux networking iptables nat nftables
nftables 1:1 NAT(IP 位址到 IP 位址)

升級到使用 nftables 的 Fedora 32,我完全不熟悉它,在仔細閱讀我能找到的所有文件後,我不知道如何使用 nftables 複製 1:1 NAT,這意味著當前我的郵件伺服器無法存取。

我將這些規則與firewalld/iptables 一起使用。

  <passthrough ipv="ipv4">-t nat -A PREROUTING -i eno1 -d public.ip -j DNAT --to-destination 10.99.99.21</passthrough>
  <passthrough ipv="ipv4">-t nat -A POSTROUTING -s 10.99.99.21 -o eno1 -j SNAT --to public.ip</passthrough>
  <passthrough ipv="ipv6">-t nat -A PREROUTING -i eno1 -d public.ipv6 -j DNAT --to-destination fdb9:b611:5d5d:ffff::21</passthrough>
  <passthrough ipv="ipv6">-t nat -A POSTROUTING -s fdb9:b611:5d5d:ffff::21 -o eno1 -j SNAT --to-source public.ipv6</passthrough>

我已經嘗試過這個,這似乎不起作用:

nft list table nat
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip saddr 10.99.99.21 oif "eno1" snat to public.ip
        }

        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eno1" ip daddr public.ip dnat to 10.99.99.21
        }
}

進一步資訊:進一步追蹤後,發現 SNAT 規則因某種原因未符合。

答案1

我將回答我自己的問題,因為我在與 github 上的一位 Firewalld 開發人員交談後發現了這個問題。

顯然,問題在於 nftables 和 iptables 同時使用。

引用:

This makes sense. It's due to the fact that iptables and nftables rules are executed independently inside the kernel/netfilter. So your scenarios are:

    iptables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        firewalld rules are part of iptables, so they're not considered (due to accept)
    nftables backend
        your direct rules accept the packets in the FORWARD chain
        further iptables rules in the FORWARD chain are not evaluated (due to accept)
        packet is now subject to firewalld's nftables ruleset, this happens even if the packet is accepted it iptables.
        zone is using "default" target, so packet is dropped in the FORWARD chain
        due to drop POSTROUTING (SNAT) is never reached

There is no fix possible as it's a result of how the kernel works. You can read more about this in the CAVEATS section of man page firewalld.direct.

來源:https://github.com/firewalld/firewalld/issues/708

因此,上述透過 iptables-nft 替代方案建立的 nftables 規則不起作用,因為它們仍然使用 iptables 核心程式碼。他們只是出現在 nft 上。

關於 nftables 和 iptables 交互作用的詳細解釋在這裡: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables/

相關內容