Performing Network Address Translation (NAT)
The nat chain type allows you to perform NAT. This chain type comes with special semantics:
- The first packet of a flow is used to look up for a matching rule which sets up the NAT binding for this flow. This also manipulates this first packet accordingly.
- No rule lookup happens for follow up packets in the flow: the NAT engine uses the NAT binding information already set up by the first packet to perform the packet manipulation.
Adding a NAT rule to a filter type chain will result in an error.
Stateful NAT
The stateful NAT involves the nf_conntrack kernel engine to match/set packet stateful information and will engage according to the state of connections. This is the most common way of performing NAT and the approach we recommend you to follow.
Source NAT
If you want to source NAT the traffic that leaves from your local area network to the Internet, you can create a new table nat with the prerouting and postrouting chains:
% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Then, add the following rule:
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4
This matches for all traffic from the 192.168.1.0/24 network to the interface eth0. The IPv4 address 1.2.3.4 is used as source for the packets that match this rule.
You have to register the prerouting chain even if you have no rules there since this chain invokes the NAT engine for the packets coming in the input path.
Destination NAT
You need to add the following table and chain configuration:
% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Then, you can add the following rule:
% nft add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat 192.168.1.120
This redirects the incoming traffic for TCP ports 80 and 443 to 192.168.1.120. Don't forget to register the postrouting chain since this invokes the NAT engine for follow up packets going in the reply direction.
Masquerading
NOTE: masquerade is available starting with Linux Kernel 3.18.
Masquerade is a special case of SNAT, where the source address is automagically set to the address of the output interface. For example:
% nft add rule nat postrouting masquerade
Note that:
- masquerade only makes sense from postrouting chain of NAT type.
- you still have to add the prerouting nat chain, since this translate traffic in the reply direction.
Redirect
NOTE: redirect is available starting with Linux Kernel 3.19.
By using redirect, packets will be forwarded to local machine. Is a special case of DNAT where the destination is the current machine.
% nft add rule nat prerouting redirect
This example redirects 22/tcp traffic to 2222/tcp:
% nft add rule nat prerouting tcp dport 22 redirect to 2222
Note that:
- redirect only makes sense in a prerouting chain of NAT type.
- You still have to register a postrouting nat chain, so the traffic is translated in the reply direction.
NAT flags
Since Linux kernel 3.18, you can combine the following flags with your NAT statements:
- random: randomize source port mapping.
- fully-random: full port randomization.
- persistent: gives a client the same source-/destination-address for each connection.
For example:
% nft add rule nat postrouting masquerade random,persistent
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4 fully-random
Incompatibilities
You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded:
% rmmod iptable_nat
Stateless NAT
This type of NAT just modifies each packet according to your rules without any other state/connection tracking.
This is valid for 1:1 mappings and is faster than stateful NAT. However, it's easy to shoot yourself on the foot. If your environment doesn't require this approach, better stick to stateful NAT.
You have to disable connection tracking for modified packets.
The example below sets IP/port for each packet (also valid in IPv6):
% nft add rule ip nat prerouting notrack ip protocol tcp ip daddr set 192.168.1.100 tcp dport set 10
% nft add rule ip6 nat prerouting notrack ip6 nexthdr tcp ip6 daddr set fe00::1 tcp dport set 10
Be sure to check our documentation regarding mangling packets and setting packet connection tracking metainformation.
To use this feature you require nftables >=0.7 and linux kernel >= 4.9.