NAT with nftables

Dain_Bramage · 05-21-2019, 08:04 AM

I have a 192.168.1.0/24 network with a printer on it with with a static IP of 192.168.1.124. I also have a 192.168.3.0/24 VLAN with a linux Mint19.1 computer on it.

I am wanting to use NAT with nftables to NAT all port 631 packets leaving the Mint19.1 computer to 192.168.1.124:631.

The goal is for the Mint19.1 computer to be able to access the printer on the 192.168.1.0/24 network, avoiding the need to have a separate printer.

This is my NAT table:

Code:

table ip nat {
	
	chain pre {
		type nat hook prerouting priority 0; policy accept;
	}

	chain post {
		type nat hook postrouting priority 0; policy accept;
		oif "enp3s0" snat to 192.168.1.124
	}
}

I can NAT all packets leaving the Mint19.1 computer to 192.168.1.124 but I have not been able to figure out how to act specifically on the port 631 packets. Does anyone know the nftables NAT rule to do this?

thinknix · 05-24-2019, 02:47 PM

I think you're asking the wrong question, you don't need to NAT anything, you just need to allow access from one network to another on a single port.

Is the linux firewall the only host between the two networks? If so the routing should work as-is (both outbound and reply packets will be sent to the default gateway on each host, which should be your firewall), as long as you add an iptables rule to allow the port 631 traffic from your Mint box to the print server. You can verify that the routing works by pinging 192.168.1.124 from the 192.168.3.0/24 network, assuming the ICMP traffic is allowed across the firewall. If you cannot ping across the two networks, we will need to know more about how you have your network setup as far as routers/firewalls and interfaces on them (a simple ascii diagram would help in that case).