Sample Header Ad - 728x90

Ubuntu router using nftables blocking traffic

1 vote
1 answer
292 views
ubuntu networking nat router nftables
I'm trying to set up a simple router in Ubuntu. There are two network interfaces: eth0 - a wired network interface connected to the internet, and wlan0 - configured as an AP with IP address 10.0.9.1. IPv4 forwarding is enabled. I'm using dnsmasq with the following configuration: 
interface=wlan0
dhcp-range=10.0.9.2,10.0.9.30,255.255.255.0,12h
dhcp-host=40:a3:6b:c1:9a:54,10.0.9.100
The devices connect to my AP and get assigned IP addresses correctly. Now configuring the NAT. My nftables config looks like this: 
table ip nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eth0" tcp dport 8010 dnat to 10.0.9.100:80
                iif "eth0" tcp dport 9001 dnat to 10.0.9.100:9001
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif "eth0" masquerade
        }
}
This setup works as expected: * Devices connected to wlan0 can reach the internet via eth0 * Devices connected to wlan0 can connect to a server on the router at 10.0.9.1 * Device with IP 10.0.9.1.100 can be reached on port 8010 and 9001 thru eth0 However, I'd like to set up a simple firewall to protect the devices from unauthorized access. This is what I have added to my nftables config: 
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state vmap { established : accept, related : accept, invalid : drop }
                iifname lo accept
                icmp type echo-request limit rate 5/second accept
                ip protocol icmp drop

                iif "eth0" tcp dport { ssh, 8080 } accept
        }

        chain forward {
                type filter hook forward priority 0; policy drop;

                ct status dnat accept
                iif "wlan0" oif "wlan0" accept
                iif "wlan0" oif "eth0" accept
                iif "eth0" oif "wlan0" ct state established,related accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
This setup does not work as expected: * Devices connected to wlan0 **can't** reach the internet via eth0 * Devices connected to wlan0 **can't** connect to a server on the router at 10.0.9.1 * Device with IP 10.0.9.1.100 can be reached on port 8010 and 9001 thru eth0 If I disable all protection in nfconfig it works as expected: 
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority 0; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
When I edit the 
input
section, things stop working. I'm completely new to nftables, and I have been spending the whole day trying to figure out how to get it working. Any ideas? Thanks!
Asked by Martin Claesson (111 rep)
Jan 15, 2024, 04:16 PM
Last activity: Jan 16, 2024, 12:01 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "ubuntu"
More questions tagged "networking"
More questions tagged "nat"
Footer Ad - 728x90