I have the following situation:
- A Debian Linux host with multiple VMs running on it.
- One VM is set up as a mail server.
- nftables on the host redirects the mail traffic from the world to the mail VM with NAT.
My problem is that when I want to send an email from another VM on the same host. Because of the DNS entry, it tries to connect to the host, but the host doesn't forward this traffic to the mail VM.
My current NAT rule for the mail server looks like:
table inet nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iifname $dev_wan ip daddr $wan_ipv4 tcp dport $mail_tcp_ports dnat to $ip_mail4
}
}
And in forward chain I allow this kind of traffic:
chain forward {
type filter hook forward priority 0; policy drop;
# allow established and outgoing traffic
iifname $dev_wan oifname $dev_bridge ip daddr $vm_net4 ct state { established, related } accept
iifname $dev_bridge oifname $dev_wan ip saddr $vm_net4 accept comment "allow traffic from vm bridge to wan"
# allow in/out traffic over bridge
iifname $dev_bridge oifname $dev_bridge accept
iifname $dev_wan ip daddr $ip_mail4 oifname $dev_bridge tcp dport $mail_tcp_ports accept
}
How can I configure nftables to correctly route mail traffic from one VM to another?
