Download your favorite Linux distribution at LQ ISO.
Go Back > Blogs > serafean
User Name


Rate this Entry

nftables NAT

Posted 10-03-2016 at 05:04 PM by serafean
Updated 10-03-2016 at 05:08 PM by serafean

Finally getting around to writing the continuation of this howto. Now lets take a look at a basic router firewall.
Basic ruleset configuration is described here.
This ruleset only sets up ipv4 nating, no filtering is set up (that will be covered later)
The following is an nft configuration file. To be loaded with nft -f.
define if_wan = eth0
table ip filter {
        map tcp_nat_map {type inet_service : ipv4_addr;}
        map udp_nat_map {type inet_service : ipv4_addr;}
        chain input {
                type filter hook input priority 2;
                ip protocol icmp accept comment "Accept all icmp"

        chain prerouting {
                type nat hook prerouting priority -100;
                iif $if_wan dnat tcp dport map {50001 :, 50932 :, 56764 : }
                iif $if_wan dnat tcp dport map @tcp_nat_map
                iif $if_wan dnat udp dport map @udp_nat_map
        chain postrouting {
                type nat hook postrouting priority -100;
                oif $if_wan masquerade random #NAT only on WAN interface
On the first line, I define the $if_wan variable to the output interface which is used throughout the ruleset. Note that it is used alongside "iif", which matches interfaces based on interface indexes (as oposed to iifname, which matches by comparing with the name string). This implies that by using iif, the interface has to exist before I load the rules (when using iifname, the interface can be created later).

Then I define an ipv4 specific table (the "ip" part in the table definition means ipv4).
Then I define two maps, which will be used for forwarding ports to hosts, all of which can be specified at runtime. One for UDP, one for TCP.
Next up is the basic input chain, where I accept all ICMP (to not break the internet - like when MTU clamping is needed) and all packets related to outgoing connections.
Finally I declare the prerouting and postrouting chains, which take care of all NAT related things.
               iif $if_wan dnat tcp dport map { 222 :, 280 :, 243 :}
Are two rules for NAT forwarding, the first being set statically (ports 222, 280 and 243 redirected to This could also be rewritten like
iif $if_wan tcp dport {222, 280, 243 } dnat
iif $if_wan dnat tcp dport map @tcp_nat_map
creates a dynamic natting rule, meaning port forwarding can be added without reloading the ruleset.
Dynamically adding NAT forwarding can be done with
nft add element ip filter tcp_nat_map { $PORT : $ADDRESS }
Big thanks to those who wrote the nftables wiki content.
Posted in nftables
Views 2836 Comments 0
« Prev     Main     Next »
Total Comments 0




All times are GMT -5. The time now is 02:26 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration