Performing Network Address Translation (NAT)

From nftables wiki
Revision as of 12:32, 3 August 2016 by Arturo (talk | contribs) (add notice about adding NAT to a filter type chain)
Jump to navigation Jump to search

The nat chain type allows you to perform NAT. This chain type comes with special semantics:

  • The first packet of a flow is used to look up for a matching rule which sets up the NAT binding for this flow. This also manipulates this first packet accordingly.
  • No rule lookup happens for follow up packets in the flow: the NAT engine uses the NAT binding information already set up by the first packet to perform the packet manipulation.

Adding a NAT rule to a filter type chain will result in an error.

Source NAT

If you want to source NAT the traffic that leaves from your local area network to the Internet, you can create a new table nat with the prerouting and postrouting chains:

% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

Then, add the following rule:

% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4

This matches for all traffic from the 192.168.1.0/24 network to the interface eth0. The IPv4 address 1.2.3.4 is used as source for the packets that match this rule.

You have to register the prerouting chain even if you have no rules there since this chain invokes the NAT engine for the packets coming in the input path.

Destination NAT

You need to add the following table and chain configuration:

% nft add table nat
% nft add chain nat prerouting { type nat hook prerouting priority 0 \; }
% nft add chain nat postrouting { type nat hook postrouting priority 100 \; }

Then, you can add the following rule:

% nft add rule nat prerouting iif eth0 tcp dport { 80, 443 } dnat 192.168.1.120

This redirects the incoming traffic for TCP ports 80 and 443 to 192.168.1.120. Don't forget to register the postrouting chain since this invokes the NAT engine for follow up packets going in the reply direction.

Masquerading

NOTE: masquerade is available starting with Linux Kernel 3.18.

Masquerade is a special case of SNAT, where the source address is automagically set to the address of the output interface. For example:

% nft add rule nat postrouting masquerade

Note that:

  1. masquerade only makes sense from postrouting chain of NAT type.
  2. you still have to add the prerouting nat chain, since this translate traffic in the reply direction.


Redirect

NOTE: redirect is available starting with Linux Kernel 3.19.

By using redirect, packets will be forwarded to local machine. Is a special case of DNAT where the destination is the current machine.

% nft add rule nat prerouting redirect

This example redirects 22/tcp traffic to 2222/tcp:

% nft add rule nat prerouting tcp dport 22 redirect to 2222

Note that:

  1. redirect only makes sense in a prerouting chain of NAT type.
  2. You still have to register a postrouting nat chain, so the traffic is translated in the reply direction.

NAT flags

Since Linux kernel 3.18, you can combine the following flags with your NAT statements:

  • random: randomize source port mapping.
  • fully-random: full port randomization.
  • persistent: gives a client the same source-/destination-address for each connection.

For example:

% nft add rule nat postrouting masquerade random,persistent
% nft add rule nat postrouting ip saddr 192.168.1.0/24 oif eth0 snat 1.2.3.4 fully-random

Incompatibilities

You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded:

% rmmod iptable_nat