6.3. Configuring NAT using nftables
With
nftables
, you can configure the following network address translation (NAT
) types:
- Masquerading
- Source NAT (
SNAT
) - Destination NAT (
DNAT
) - Redirect
6.3.1. The different NAT types: masquerading, source NAT, destination NAT, and redirect
These are the different network address translation (
NAT
) types:
Masquerading and source NAT (SNAT)
Use one of these
NAT
types to change the source IP address of packets. For example, Internet Service Providers do not route private IP ranges, such as 10.0.0.0/8
. If you use private IP ranges in your network and users should be able to reach servers on the Internet, map the source IP address of packets from these ranges to a public IP address.
Both masquerading and
SNAT
are very similar. The differences are:
- Masquerading automatically uses the IP address of the outgoing interface. Therefore, use masquerading if the outgoing interface uses a dynamic IP address.
SNAT
sets the source IP address of packets to a specified IP and does not dynamically look up the IP of the outgoing interface. Therefore,SNAT
is faster than masquerading. UseSNAT
if the outgoing interface uses a fixed IP address.
Destination NAT (DNAT)
Use this
NAT
type to route incoming traffic to a different host. For example, if your web server uses an IP address from a reserved IP range and is, therefore, not directly accessible from the Internet, you can set a DNAT
rule on the router to redirect incoming traffic to this server.
Redirect
This type is a special case of DNAT that redirects packets to the local machine depending on the chain hook. For example, if a service runs on a different port than its standard port, you can redirect incoming traffic from the standard port to this specific port.
6.3.2. Configuring masquerading using nftables
Masquerading enables a router to dynamically change the source IP of packets sent through an interface to the IP address of the interface. This means that if the interface gets a new IP assigned,
nftables
automatically uses the new IP when replacing the source IP.
The following procedure describes how to replace the source IP of packets leaving the host through the
ens3
interface to the IP set on ens3
.
Procedure 6.9. Configuring masquerading using nftables
- Create a table:
# nft add table nat
- Add the
prerouting
andpostrouting
chains to the table:# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Important
Even if you do not add a rule to theprerouting
chain, thenftables
framework requires this chain to match incoming packet replies.Note that you must pass the--
option to thenft
command to avoid that the shell interprets the negative priority value as an option of thenft
command. - Add a rule to the
postrouting
chain that matches outgoing packets on theens3
interface:# nft add rule nat postrouting oifname "ens3" masquerade
6.3.3. Configuring source NAT using nftables
On a router, Source NAT (
SNAT
) enables you to change the IP of packets sent through an interface to a specific IP address.
The following procedure describes how to replace the source IP of packets leaving the router through the
ens3
interface to 192.0.2.1
.
Procedure 6.10. Configuring source NAT using nftables
- Create a table:
# nft add table nat
- Add the
prerouting
andpostrouting
chains to the table:# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Important
Even if you do not add a rule to theprerouting
chain, thenftables
framework requires this chain to match outgoing packet replies.Note that you must pass the--
option to thenft
command to avoid that the shell interprets the negative priority value as an option of thenft
command. - Add a rule to the
postrouting
chain that replaces the source IP of outgoing packets throughens3
with192.0.2.1
:# nft add rule nat postrouting oifname "ens3" snat to 192.0.2.1
Additional resources
- For more information, see Section 6.6.2, “Forwarding incoming packets on a specific local port to a different host”
6.3.4. Configuring destination NAT using nftables
Destination
NAT
enables you to redirect traffic on a router to a host that is not directly accessible from the Internet.
The following procedure describes how to redirect incoming traffic sent to port
80
and 443
of the router to the host with the 192.0.2.1
IP address.
Procedure 6.11. Configuring destination NAT using nftables
- Create a table:
# nft add table nat
- Add the
prerouting
andpostrouting
chains to the table:# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }
Important
Even if you do not add a rule to the postrouting chain, thenftables
framework requires this chain to match outgoing packet replies.Note that you must pass the--
option to thenft
command to avoid that the shell interprets the negative priority value as an option of thenft
command. - Add a rule to the prerouting chain that redirects incoming traffic on the
ens3
interface sent to port 80 and 443 to the host with the 192.0.2.1 IP:# nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1
- Depending on your environment, add either a SNAT or masquerading rule to change the source address:
- If the
ens3
interface used dynamic IP addresses, add a masquerading rule:# nft add rule nat postrouting oifname "ens3" masquerade
- If the
ens3
interface uses a static IP address, add aSNAT
rule. For example, if theens3
uses the 198.51.100.1 IP address:# nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1
Additional resources
- For more information, see Section 6.3.1, “The different NAT types: masquerading, source NAT, destination NAT, and redirect”
6.3.5. Configuring a redirect using nftables
The
redirect
feature is a special case of destination network address translation (DNAT) that redirects packets to the local machine depending on the chain hook.
The following procedure describes how to redirect incoming and forwarded traffic sent to port 22 of the local host to port 2222.
Procedure 6.12. Configuring a redirect using nftables
- Create a table:
# nft add table nat
- Add the prerouting chain to the table:
# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }
Note that you must pass the--
option to thenft
command to avoid that the shell interprets the negative priority value as an option of thenft
command. - Add a rule to the prerouting chain that redirects incoming traffic on port 22 to port 2222:
# nft add rule nat prerouting tcp dport 22 redirect to 2222
Additional resources
- For more information, see Section 6.3.1, “The different NAT types: masquerading, source NAT, destination NAT, and redirect”