Red Hat SummitCe contenu n'est pas disponible dans la langue sélectionnée.
6.3. Configuring NAT using nftables
With
nftables, you can configure the following network address translation (NAT) types:
- Masquerading
- Source NAT (
SNAT) - Destination NAT (
DNAT) - Redirect
6.3.1. The different NAT types: masquerading, source NAT, destination NAT, and redirect
Copier lienLien copié sur presse-papiers!
These are the different network address translation (
NAT) types:
Masquerading and source NAT (SNAT)
Use one of these
NAT types to change the source IP address of packets. For example, Internet Service Providers do not route private IP ranges, such as 10.0.0.0/8. If you use private IP ranges in your network and users should be able to reach servers on the Internet, map the source IP address of packets from these ranges to a public IP address.
Both masquerading and
SNAT are very similar. The differences are:
- Masquerading automatically uses the IP address of the outgoing interface. Therefore, use masquerading if the outgoing interface uses a dynamic IP address.
SNATsets the source IP address of packets to a specified IP and does not dynamically look up the IP of the outgoing interface. Therefore,SNATis faster than masquerading. UseSNATif the outgoing interface uses a fixed IP address.
Destination NAT (DNAT)
Use this
NAT type to route incoming traffic to a different host. For example, if your web server uses an IP address from a reserved IP range and is, therefore, not directly accessible from the Internet, you can set a DNAT rule on the router to redirect incoming traffic to this server.
Redirect
This type is a special case of DNAT that redirects packets to the local machine depending on the chain hook. For example, if a service runs on a different port than its standard port, you can redirect incoming traffic from the standard port to this specific port.
6.3.2. Configuring masquerading using nftables
Copier lienLien copié sur presse-papiers!
Masquerading enables a router to dynamically change the source IP of packets sent through an interface to the IP address of the interface. This means that if the interface gets a new IP assigned,
nftables automatically uses the new IP when replacing the source IP.
The following procedure describes how to replace the source IP of packets leaving the host through the
ens3 interface to the IP set on ens3.
Procedure 6.9. Configuring masquerading using nftables
- Create a table:
nft add table nat
# nft add table natCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the
preroutingandpostroutingchains to the table:nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } nft add chain nat postrouting { type nat hook postrouting priority 100 \; }# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
Even if you do not add a rule to thepreroutingchain, thenftablesframework requires this chain to match incoming packet replies.Note that you must pass the--option to thenftcommand to avoid that the shell interprets the negative priority value as an option of thenftcommand. - Add a rule to the
postroutingchain that matches outgoing packets on theens3interface:nft add rule nat postrouting oifname "ens3" masquerade
# nft add rule nat postrouting oifname "ens3" masqueradeCopy to Clipboard Copied! Toggle word wrap Toggle overflow
6.3.3. Configuring source NAT using nftables
Copier lienLien copié sur presse-papiers!
On a router, Source NAT (
SNAT) enables you to change the IP of packets sent through an interface to a specific IP address.
The following procedure describes how to replace the source IP of packets leaving the router through the
ens3 interface to 192.0.2.1.
Procedure 6.10. Configuring source NAT using nftables
- Create a table:
nft add table nat
# nft add table natCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the
preroutingandpostroutingchains to the table:nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } nft add chain nat postrouting { type nat hook postrouting priority 100 \; }# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
Even if you do not add a rule to thepreroutingchain, thenftablesframework requires this chain to match outgoing packet replies.Note that you must pass the--option to thenftcommand to avoid that the shell interprets the negative priority value as an option of thenftcommand. - Add a rule to the
postroutingchain that replaces the source IP of outgoing packets throughens3with192.0.2.1:nft add rule nat postrouting oifname "ens3" snat to 192.0.2.1
# nft add rule nat postrouting oifname "ens3" snat to 192.0.2.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional resources
- For more information, see Section 6.6.2, “Forwarding incoming packets on a specific local port to a different host”
6.3.4. Configuring destination NAT using nftables
Copier lienLien copié sur presse-papiers!
Destination
NAT enables you to redirect traffic on a router to a host that is not directly accessible from the Internet.
The following procedure describes how to redirect incoming traffic sent to port
80 and 443 of the router to the host with the 192.0.2.1 IP address.
Procedure 6.11. Configuring destination NAT using nftables
- Create a table:
nft add table nat
# nft add table natCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the
preroutingandpostroutingchains to the table:nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } nft add chain nat postrouting { type nat hook postrouting priority 100 \; }# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; } # nft add chain nat postrouting { type nat hook postrouting priority 100 \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Important
Even if you do not add a rule to the postrouting chain, thenftablesframework requires this chain to match outgoing packet replies.Note that you must pass the--option to thenftcommand to avoid that the shell interprets the negative priority value as an option of thenftcommand. - Add a rule to the prerouting chain that redirects incoming traffic on the
ens3interface sent to port 80 and 443 to the host with the 192.0.2.1 IP:nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1# nft add rule nat prerouting iifname ens3 tcp dport { 80, 443 } dnat to 192.0.2.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Depending on your environment, add either a SNAT or masquerading rule to change the source address:
- If the
ens3interface used dynamic IP addresses, add a masquerading rule:nft add rule nat postrouting oifname "ens3" masquerade
# nft add rule nat postrouting oifname "ens3" masqueradeCopy to Clipboard Copied! Toggle word wrap Toggle overflow - If the
ens3interface uses a static IP address, add aSNATrule. For example, if theens3uses the 198.51.100.1 IP address:nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1
# nft add rule nat postrouting oifname "ens3" snat to 198.51.100.1Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional resources
- For more information, see Section 6.3.1, “The different NAT types: masquerading, source NAT, destination NAT, and redirect”
6.3.5. Configuring a redirect using nftables
Copier lienLien copié sur presse-papiers!
The
redirect feature is a special case of destination network address translation (DNAT) that redirects packets to the local machine depending on the chain hook.
The following procedure describes how to redirect incoming and forwarded traffic sent to port 22 of the local host to port 2222.
Procedure 6.12. Configuring a redirect using nftables
- Create a table:
nft add table nat
# nft add table natCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Add the prerouting chain to the table:
nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }# nft -- add chain nat prerouting { type nat hook prerouting priority -100 \; }Copy to Clipboard Copied! Toggle word wrap Toggle overflow Note that you must pass the--option to thenftcommand to avoid that the shell interprets the negative priority value as an option of thenftcommand. - Add a rule to the prerouting chain that redirects incoming traffic on port 22 to port 2222:
nft add rule nat prerouting tcp dport 22 redirect to 2222
# nft add rule nat prerouting tcp dport 22 redirect to 2222Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Additional resources
- For more information, see Section 6.3.1, “The different NAT types: masquerading, source NAT, destination NAT, and redirect”
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}