[SOLVED] nftables prerouting not working

[Norrodar]

Hey,

I installed Debian 10 Buster and Proxmox 6 on my machine and decided to use nftables instead of iptables (because future and so on). Its a server with one public IP. So I use NAT and masquerade.
Everything is working fine. The Host can ping the internet and its containers. Also the containers have internet, can ping each other and the host. So far so good.
But I'm not able to forward a port to a container and I can't see any problem.

I'm trying to connect via SSH to my container and my host should do this:
190.190.190.190:11122 --> 10.0.0.20:22
Easy, but I always get a timeout from my ssh client.
I can connect from my poxmox host to the container using ssh, so ssh is working fine. There is a problem with my nftables configuration.

I activated forwarding in my host's kernel /proc/sys/net/ipv4/ip_forward:

1

My /etc/network/interfaces looks like:

auto lo
iface lo inet loopback

allow-hotplug ens3

auto ens3
iface ens3 inet static
        address  190.190.190.190 # public IP
        netmask  22 # hosting's netmask
        gateway  190.190.190.1 # hosting's gateway
        #WAN Interface

auto vmbr0
iface vmbr0 inet static
    address  10.0.0.1
    netmask  255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    # Intranet 1

auto vmbr10
iface vmbr10 inet static
    address 10.0.10.1
    netmask 255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    # Intranet 2

auto vmbr20
iface vmbr20 inet static
    address 10.0.20.1
    netmask 255.255.255.0
    bridge-ports none
    bridge-stp off
    bridge-fd 0
    # Intranet 3

My /etc/nftables.conf looks like:

#!/usr/sbin/nft -f

flush ruleset

############################
# DEFINES
############################

#
# Interfaces
#
define wan0  = ens3

#
# Host Ports
#
define port_ssh     = 2222
define port_proxmox = 8006

#
# NAT Networks
#
define lan0  = 10.0.0.0/24
define lan10 = 10.0.10.0/24
define lan20 = 10.0.20.0/24

#
# Machine IPs
#
define lxc_100 = 10.0.0.20    # Testserver


############################
# FILTER TABLE (main table)
############################
table inet filter {
    set tcp_accepted {
        type inet_service;
        flags interval;
       
        # Zugelassene TCP Ports
        elements = {
            $port_ssh,
            $port_proxmox,
        }
    }
   
    set udp_accepted {
        type inet_service;
        flags interval;
       
        # Zugelassene UDP Ports
#        elements = {
#            http, https, 53,
#        }
    }
   
    chain input {
        type filter hook input priority 0; policy drop;
       
        # Existierende Verbindungen weiterhin zulassen
        ct state {established, related} accept
       
        # Ungültige Verbindungen droppen
        ct state invalid drop
       
        # Loopbacks akzeptieren
        iifname lo accept
       
        ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
        ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept    # icmp für IPv6 zulassen
       
        # Definierte Ports zulassen
        tcp dport @tcp_accepted accept
        udp dport @udp_accepted accept
       
        # Alles andere abweisen
        reject with icmpx type port-unreachable
    }
   
    chain forward {
        type filter hook forward priority 0; policy drop;
       
        # Erlaube ausgehende Pakete via wan
        oifname ens3 accept
        iifname ens3 accept
       
        # Erlaube eingehende Pakete via wan für existierende Verbindungen
        iifname ens3 ct state related, established accept

        # alle anderen einkommenden Pakete auf wan droppen
        iifname ens3 drop
    }
   
    chain output {
        type filter hook output priority 0; policy accept;
       
        # alle ausgehenden Verbindungen zulassen
        oifname lo accept
    }
}


############################
# NAT TABLE
############################
table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0;
       
        #
        # Port Weiterleitungen
        #
        tcp dport 11122 dnat $lxc_100:22
    }
   
    chain postrouting {
        type nat hook postrouting priority 0;
       
        # Ausgehende Pakete der Netzwerke (lan) über wan routen und dabei die öffentliche IP drumlegen (masquerade)
        ip saddr { $lan0, $lan10, $lan20 } oifname $wan0 masquerade
            # Die Zeile darüber entspricht dem folgenden:
            #ip saddr $lan0  oifname $wan0 masquerade
            #ip saddr $lan10 oifname $wan0 masquerade
            #ip saddr $lan20 oifname $wan0 masquerade
    }
}

 

[Norrodar]

After a afternoon with friends and some good German beer I realized that I missed to accept incoming forwarding traffic in my forwarding-chain. I didn't saw it.

I'll keep the config above. Perhaps it can help someone. I already corrected the config above. But please keep in mind: it's just an abstraction of my real config and it's more quick'n'dirty, f.e. the wan-Interface-variable. So just use it as a direction, not a guide.