Home / server / Questions / 1034595
Accepted
Polizi8
Asked: 2020-09-20 15:59:54 +0800 CST

NFTables: is it possible to forward traffic without masquerading it?

  • 772

I have a remote server (B) that forwards certain incoming traffic to another port of a different server (A, dest).
With "masquerade" I only see traffic coming from the forward server (B), is it possible to see traffic coming from the original sources (C)? If I replace "masquerade" with "accept" I can't reach anymore port 8080 of destination (A).

Sketch:

C -> B:25 -> A:8080
# A receives C requests as if B made them
# Unfortunately this breaks some implementations like SPF

NFTables configuration:

# define destination address
define dest = 10.0.0.2

# table for smtp forwarding
table ip smtp {
 chain pre {
  type nat hook prerouting priority -100
  tcp dport 25 dnat to $dest:8080
 }
 chain post {
  type nat hook postrouting priority 100
  ip daddr $dest masquerade
 }
}
smtp port-forwarding nftables masquerade ip-forwarding

1 Answers

  1. Best Answer

    As Tero Kilkanen was so nice to answer my question, i can provide you hopefully with an minimal working example.

    Preconditions:

    1. IP forward has to be activated (check with sysctl -a | grep forward) on remote server
    2. both server must be in the same network
    3. Your different server must have the remote server as default gateway (Is this possible in your case?)
    4. Kernel should be 4.18 otherwise you need to also define a postrouting rule (see nftables wiki)
    5. Your External interface of the remote server is enp35s0 otherwise replace accordingly

    Given this you can use the following NFTables rules

    table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                iif "enp35s0" tcp dport 25 dnat to 10.0.0.2:8080
        }
}
table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

    To debug check tcpdump on the different server

    • 0