Reputation: 61
Can't get nftables to redirect port 80 to 8080
I've tried setting up my server so it redirects traffic for port 80 to port 8080, but it doesn't work. (I get "Connection refused" errors if I telnet to port 80, and "Unable to connect" with firefox.)
I have been able to get it to work using iptables, but would prefer using nftables. Does anybody have an idea what the problem might be? (In case it's relevant, the server is running on linode.com, with a kernel provided by linode.)
I've got the following in /etc/nftables.conf:
#!/usr/sbin/nft -f
flush ruleset
table ip fw {
chain in {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# accept ssh, alternative http
tcp dport { ssh, http, http-alt } ct state new counter accept
counter drop
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport http redirect to http-alt
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
Upvotes: 2
Views: 5847
Answers (2)
Reputation: 774
If you're routing on localhost only, try using
table ip nat {
chain output {
type nat hook output priority 0;
tcp dport http redirect to http-alt
}
}
Some years ago I read for iptables that packets on the loop device don't traverse the prerouting chains but instead go through the output chains. That was my problem.
Upvotes: 3
Reputation: 151
Did you mean table inet filter instead of table ip fw?
If so, I had a similar problem. Changing the ip nat prerouting priority to -101 got it working, but I'm not sure why. It might be related to the default priority for NF_IP_PRI_NAT_DST (-100): destination NAT. The only range that seemed to work was -101 to -200.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
counter
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state {established,related} accept
# activate the following line to accept common local services
tcp dport { 22, 80, 443, 9443 } ct state new accept
# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# count and drop any other traffic
counter drop
}
}
table ip nat {
chain input {
type nat hook input priority 0;
counter
}
chain prerouting {
type nat hook prerouting priority -101;
counter
tcp dport 443 counter redirect to 9443
}
chain postrouting {
type nat hook postrouting priority 0;
counter
}
}
The counter rules make it easy to see whether the chain is even being processed; the counter values can be seen via nft list ruleset.
Upvotes: 2
Related Questions
- nftables rules for docker
- HTTP iptable PREROUTING rule is not working
- iptables redirect 80 to 8080 but block public 8080 access
- Redirect port and ip on macOS
- iptables Forward policy doesn't work
- Redirect port 443 (https) to IP using iptables
- how to use iptables to forward requests on port 80 to another port based on url
- understanding netfilter REDIRECT Target
- iptables port redirection wont work for localhost
- iptables port redirection