I have a problem setting up a DNAT in POSTROUTING (I really need it for a project).
In the beginning, I tried to set it using iptables with this command:
iptables -t nat -A POSTROUTING -p icmp -d 30.0.0.1 -j DNAT --to-destination 40.0.0.1 but iptables gave me this error iptables v1.8.7 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain POSTROUTING.
Then I read on the iptables man page that is not possible to do what I'm trying to do.
After that, I tried to do the same thing using nftables using those commands:
nft add table nat
nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
nft add rule nat postrouting oif wg-1to2 dnat to 40.0.0.1.
But nftables returned me this error Error: Could not process rule: Operation not supported.
I don't think it is possible to set a POSTROUTING DNAT with nftables.
Am I wrong or a, I making some mistakes?
If it is not possible, why? Is it just something that is not implemented?
Are there are some technical problems that make it impossible to be implemented?
How would you solve this problem?
Thanks in advice
NFTABLES: How to DNAT in POSTROUTING
1.8k views Asked by Francesco Cheinasso At
1
There are 1 answers
Related Questions in NETWORKING
- How to avoid duplicates with the pull-based subscribe model?
- How to simulate CSMA/CD protocol in ns3?
- Network System - Cisco Packet Tracer
- Adhoc / mesh network not working (with and without batman-adv)
- Algorithm for finding a subset of nodes in a weighted connected graph such that the distance between any pair nodes are under a postive number?
- Python Client-Server Communication with Protocol
- I registered a service in eureka which is resolving through java code. But it is not able to resolve its name when hitting through chrome or postman
- Share files from the server without data or internet usage
- Player names not synchronizing in unity Mirror Networking
- My phone can not visit the server on macos in the same local network
- Unable to ping remote websites from an ipV6 only ubuntu ec2 Instance
- Linux Networking - Routing packets from one network interface to another
- wrong output from Supernetting algorithm
- Mapping localhost port on host to docker container
- Microsoft Message Analyzer disable resolving IP address to their domain names a.k.a turn off AutoIP feature
Related Questions in IPTABLES
- Redirect outbound traffic to a different port
- How to ping IPv6 address of link-local from container attached to bridge network
- Netfilter Module to Log HTTP Headers
- Redirect Outbound Traffic to Remote TCP Transparent Proxy
- Install docker on RHEL 8.8. Service does not start because of error : "Failed to initialize nft: Protocol not supported"
- To allow IPsec NAT-T traffic to pass through, why does the firewall still need to permit ESP when it already allows UDP 4500?
- Rancher 1.6 port forwarding on any host forwards to host with rancher/server installed
- Problem with netfilter queue, iptables or C ++
- iptables not dropping with all chain policies set to DROP and only SSH accepted
- When iptables is used for reverse proxy, how does the proxy server know the client IP address after the real-server replies messages?
- DNAT translation in iptables for TCP connections
- How to run squid in bridge mode
- ICMP request not been forwarded by NAT instance
- Modify android WebView and create whitelist
- Enable UFW to block dockerized application. How can I block outside access to just the docker network?
Related Questions in NAT
- Issue with K6 Operator and Cloud NAT connection count during stress testing
- AWS: Putting together ELB, NAT Gateway and Public Subnet - Not working
- When iptables is used for reverse proxy, how does the proxy server know the client IP address after the real-server replies messages?
- How to make local packets go through nat / prerouting (they go directly to filter / input)
- Usage of Multiple Egress IPs in Google Cloud NAT Setup
- ICMP request not been forwarded by NAT instance
- NAT KeepAlive Package in Android
- Getting internet Access to Ec2 instance in a public subnet without having a public IPv4
- AWS Lambda init phase timeout in VPC
- Node Application not writing to the correct griddb cluster
- P2P Connection Issue with NAT Traversal on Mobile Devices
- Why is Azure NAT not affecting my effective routes from my Azure routing table?
- Why is my device marked as unknown device when using "Mono.Nat.NatUtility.StartDiscovery()"?
- How to perform NAT hole punching on an additional client mid-session?
- Tethering - Sharing mobile network to LAN
Related Questions in NETFILTER
- Netfilter Module to Log HTTP Headers
- How to insert an ip packet to linux network stack on the egress path?
- Why is ingress packet not getting DNAT 'edin NAT PREROUTING chain with nftables?
- using netfilter to capture UDP data but i got lot of packet loss
- Problem with netfilter queue, iptables or C ++
- How to make local packets go through nat / prerouting (they go directly to filter / input)
- Mangled packets from libnetfilter_queue do not reach destination
- Adding data to an outgoing packet with netfilter in a kernel module
- Reject a packet with nfqueue / setverdict (disconnect a client)
- Netfilter Netdev ingress hook, skb->data point to packet(L3) and not to frame(L2)
- Netfilter - segfault in libnftables.so.1.0.0
- filer syn flood with hashlimit in iptables inside docker container
- Get packet data in Linux kernel module with netfilter
- How to make IpTable Rules immutable in linux
- How to automatically kill idle tcp connections after a pre-determined unit of time on Linux?
Related Questions in NFTABLES
- Why is ingress packet not getting DNAT 'edin NAT PREROUTING chain with nftables?
- Redirect Outbound Traffic to Remote TCP Transparent Proxy
- Install docker on RHEL 8.8. Service does not start because of error : "Failed to initialize nft: Protocol not supported"
- How to make local packets go through nat / prerouting (they go directly to filter / input)
- Netfilter Netdev ingress hook, skb->data point to packet(L3) and not to frame(L2)
- Compile nftables examples
- Netfilter - segfault in libnftables.so.1.0.0
- Why can my Golang app inside docker container only connect to another server if using FQDN in URL?
- Docker.com's IPv4 always changing - Why?
- Troubleshooting NFTables Table Creation with Go
- nftables.conf with set and rules
- script to automatically update blockips table in nftable
- Atomically deleting nftables chains fails in some cases
- Need help using nftables to drop SNMP packets containing a specific community string
- How can I read all incoming traffic that should get redirected by TPROXY?
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Francesco, to my understanding, you cannot do DNAT in POSTROUTING.
The reason is that in the (kernel) routing/forwarding code, several parameters get adjusted based on the destination contained in your packets (e.g., next hop, interface where this packet has to be sent from, MAC address to reach the next hop).
If you do DNAT, hence you change the destination address in your packet, the above parameters may become invalid, hence you may need to traverse the routing/forwarding code again. However, given the position of the POSTROUTING hook in the Linux kernel, this is no longer possible. For instance, SNAT is perfectly supported instead.
A possible solution to this problem is to write an eBPF program that does DNAT and adjusts the above parameters. Hope this helps.