User Tools

Site Tools


en:security:network:detection:tools:nftables
 
 

NFTables (NAT)

For nftables on PC see NFTables (PC). For Server see NFTables (Server).

For NAT:

  • The ARP address family only supports the input and output hook
  • The bridge address family only supports the input, forward and output hook?
  • Masquerading is a kind of source NAT.
  • nftables masquerade will not work if iptables masquerade is in the kernel (unload or disable it).
table ip nat {
    # Destination NAT
    chain prerouting {
        type nat hook prerouting priority 100; policy accept;
        
    }
    # Source NAT. Masquerading is a kind of source NAT.
    # Can only be used in chains of type nat and only works in the output path.
    # Make sure masquerading is enabled in the kernel (true if using default kernel) 
    # nftables masquerade will not work if iptables masquerade is in the kernel (unload or disable it).
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;        
        oifname {enp3s0, tun0} masquerade
    }
    
}

Resources

en/security/network/detection/tools/nftables.txt · Last modified: 2020/07/20 10:42 by Digital Dot