NAT with masquerade on different interfaces that access different network with Nftables

Maeln

4/14/23, 10:03 AM

I have a server that is connected to two network :

10.0.0.0/24 through an interface wlan0
192.168.1.0/24 through an interface eth0

I want to setup a Wireguard VPN to make both network accessible from outside. I activated ip forwarding in my config (with sysctl). Now I need to setup a NAT in order to route my requests from the VPN server through the two local network. I use nftables to setup the NAT.

My issue is, for a machine with only one interface, I would use the following configuration :

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0;
    }
    chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.2.0.0/24 oifname eth0 masquerade
    }
}

But here, I don't want to route everything through eth0, I want to specifically route everything meant for 10.0.0.0/24 through wlan0 and everything meant for 192.168.1.0/24 through eth0. How can I achieve this with nftables ?

311

0 + 0

networking

debian

nftables

Score:0

Server

Maeln

4/15/23, 8:46 AM

I found the answer by myself in the end, so here is how to do it : You have to use the ip daddr parameter to filter by destination address. My final rule set is the following :

table ip nat {

        chain PREROUTING {
            type nat hook prerouting priority filter; policy accept;
        }
    
        chain POSTROUTING {
            type nat hook postrouting priority srcnat; policy accept;
            ip saddr 10.2.0.0/24 ip daddr 192.168.0.0/16 oifname "eth0" masquerade
            ip saddr 10.2.0.0/24 ip daddr 10.0.0.0/24 oifname "wlan0" masquerade
        }
}

This works perfectly.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: NAT with masquerade on different interfaces that access different network with Nftables

TH: NAT พร้อมหน้ากากบนอินเทอร์เฟซต่างๆ ที่เข้าถึงเครือข่ายต่างๆ ด้วย Nftables

RO: NAT cu masquerade pe diferite interfețe care accesează diferite rețele cu Nftables

RU: NAT с маскарадом на разных интерфейсах, которые обращаются к другой сети с помощью Nftables

VI: NAT với giả mạo trên các giao diện khác nhau truy cập mạng khác nhau bằng Nftables

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.