Score:0

nftables loopback connections not working in CentOS 7

ru flag

I have removed firewalld and installed nftables in CentOS 7 (kernel 3.10.0-1160.42.2.el7.x86_64). My ruleset is as follows:

# nft list ruleset

table ip my_table {
        set ssh_evils {
                type ipv4_addr
        }

        set sip_evils {
                type ipv4_addr
        }

        set dialers {
                type ipv4_addr
        }

        set sip_origins {
                type ipv4_addr
                elements = { 27.a.b.c, 51.p.q.r,
                             139.x.y.z }
        }

        set port_fw {
                type ipv4_addr
                elements = { 27.a.b.c }
        }

        set iax_ports {
                type inet_service
                elements = { 4501 }
        }

        chain input {
                type filter hook input priority 0; policy drop;
                iif "lo" accept
                tcp dport ssh ip saddr @ssh_evils counter packets 0 bytes 0 drop
                udp dport sip ip saddr @sip_evils counter packets 0 bytes 0 drop
                ct state vmap { invalid : drop, established : accept, related : accept, new : accept }
                udp dport { 1100-1199, 10000-20000 } accept
                udp dport @iax_ports accept
                udp dport { sip } ip saddr @sip_origins accept
                udp dport { sip } ip saddr @dialers accept
                tcp dport { ssh, http, https } accept
                icmp type echo-request limit rate 500/second accept
        }

        chain dummy1 {
                type filter hook prerouting priority -100; policy accept;
        }

        chain dummy2 {
                type filter hook forward priority 0; policy accept;
        }

        chain dummy3 {
                type filter hook postrouting priority 100; policy accept;
        }

        chain port_forward {
                type nat hook prerouting priority -10; policy accept;
                tcp dport 40004 ip saddr @port_fw dnat to 192.168.101.4:http
                tcp dport 40005 ip saddr @port_fw dnat to 192.168.101.5:http
                tcp dport 40009 ip saddr @port_fw dnat to 192.168.101.9:http
                tcp dport 50001 ip saddr @port_fw dnat to 10.1.1.2:http
        }

        chain sip_forward {
                type nat hook prerouting priority -10; policy accept;
                udp dport { 6060-6080 } redirect to :sip
        }

        chain tmp_forward {
                type nat hook prerouting priority -10; policy accept;
        }

        chain masq {
                type nat hook postrouting priority 10; policy accept;
                masquerade
        }
}

I have uninstalled firewalld completely and don't have any iptables rule.

But this nftable configuration does not allow loopback connection, even ping 127.0.0.1 gets timeout.

Other things (e.g. http, ssh port-forwarding etc.) works perfectly.

I could not find any solution to this. nft monitor prints nothing.

Score:0
ru flag

I figured it out! Problem was the unconditional masquerading rule.

I replaced

chain masq {
        type nat hook postrouting priority 10; policy accept;
        masquerade
}

with

chain masq {
        type nat hook postrouting priority 10; policy accept;
        oif != "lo" masquerade
}

and the problem solved!

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.