Join Log in
Score:0
nobody avatar Server

nftables natting with source IP

in flag
nobody

I have a server in a datacenter which is a Proxmox server. On the server (one of many, they are in a Proxmox cluster) I am hosting various VM's.

Services on the VM's are exposed through iptables (using ufw) natting like the following example:

-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 21 -j DNAT --to-destination <local_ip>:<port>
-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 23 -j DNAT --to-destination <local_ip>:<port>
-A PREROUTING -i eno1 -p tcp -d <public_ip> --dport 10090:10100 -j DNAT --to-destination <local_ip>:<port>

The VM's are connected using a virtual bridge nic like the documentation of Proxmox states. (Proxmox docs)This works. However there is one downside. The VM does not receive the source IP of the connecting party. This give me limited options on IP filtering, logging on various other VM's.

Now I am looking at a similar solution for nftables (which will, or has, replace iptables).

Is there a way to set up natting or forwarding rules that will allow the source IP to send to the VM?

140
0 + 0
Score:1
setenforce 1 avatar Server
us flag
setenforce 1

You can do the same rules in nftables this way:

table inet nat {
    chain prerouting {
        type nat hook prerouting priority dstnat;
        iif eno1 ip daddr { <public_ip> } tcp dport 21 dnat <local_ip>:<port>
        iif eno1 ip daddr { <public_ip> } tcp dport 23 dnat <local_ip>:<port>
        iif eno1 ip daddr { <public_ip> } tcp dport 10090-10100 dnat <local_ip>:<port>
    }
}

Although, Destination NAT does not rewrite the source IP, so you should see the real source IP. If you can't, you might have a Source NAT rule in the postrouting NAT table that you want to delete. You can check it with iptables -t nat -L.

0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.