Multiple NATs using nftables maps

From nftables wiki
Revision as of 03:45, 20 April 2021 by Fmyhr (talk | contribs) ("{snat|dnat} <ip_addr>" -> "{snat|dnat} to <ip_addr>}")
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Thanks to nftables Maps, if you have a previous iptables NAT (destination NAT) ruleset like this: 

% iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT --to-destination 1.1.1.1:1234
% iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT --to-destination 2.2.2.2:2345
% iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 3.3.3.3:3456

It can be easily translated to nftables in a single line: 

% nft add rule nat prerouting dnat to \
      tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} \
      : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 }

Likewise, in iptables NAT (source NAT): 

% iptables -t nat -A POSTROUTING -s 192.168.1.1 -j SNAT --to-source 1.1.1.1
% iptables -t nat -A POSTROUTING -s 192.168.2.2 -j SNAT --to-source 2.2.2.2
% iptables -t nat -A POSTROUTING -s 192.168.3.3 -j SNAT --to-source 3.3.3.3

Translated to a nftables one-liner: 

% nft add rule nat postrouting snat to \
      ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 }

See also

Retrieved from "http://wiki.nftables.org/wiki-nftables/index.php?title=Multiple_NATs_using_nftables_maps&oldid=958"