EDIT: I have 2 machine setup, Machine A only has internet connection, Machine B ens192 interface connects directly with Machine A interface ens192. So configured iptables in MachineA to make sure Machine B also has the connectivity. ping to ip address works but domain name fails. Below provided each machine network config details. **Machine A:** Network config: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:11:8a:1a brd ff:ff:ff:ff:ff:ff inet 20.1.1.27/24 brd 20.1.1.255 scope global noprefixroute ens192 valid_lft forever preferred_lft forever inet6 fe80::88f2:48b:daef:7b0d/64 scope link noprefixroute valid_lft forever preferred_lft forever 3: ens224: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:0c:29:1a:4b:09 brd ff:ff:ff:ff:ff:ff inet 192.168.43.67/24 brd 192.168.43.127 scope global noprefixroute ens224 valid_lft forever preferred_lft forever inet6 fe80::65cb:5a44:210b:1ef3/64 scope link noprefixroute valid_lft forever preferred_lft forever I have configured iptables NAT to allow packet comes from private network interface(ens192) to reach other interface(ens224) for intenet connectivity. Below is the config used. iptables --table nat --flush iptables --table nat --delete-chain iptables --table nat --append POSTROUTING --out-interface ens224 -j MASQUERADE iptables --append FORWARD --in-interface ens192 -j ACCEPT **Machine B:** After configuring NAT rules in Machine A, Now able to ping 8.8.8.8 or any IP address from machine B, but unable to resolve any hostname. [root@localhost ~]# ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=56 time=1.78 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=56 time=1.90 ms [root@localhost ~]# ping google.com ping: google.com: Name or service not known Network config: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens192: mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 00:50:56:11:23:3a brd ff:ff:ff:ff:ff:ff inet 20.1.1.201/24 brd 20.1.1.255 scope global noprefixroute dynamic ens192 valid_lft 15108sec preferred_lft 15108sec inet6 fe80::250:56ff:fe11:233a/64 scope link noprefixroute valid_lft forever preferred_lft forever ip route: [root@localhost ~]# ip route default via 20.1.1.27 dev ens192 proto dhcp metric 100 20.1.1.0/24 dev ens192 proto kernel scope link src 20.1.1.201 metric 100 resolv.conf [root@localhost ~]# more /etc/resolv.conf # Generated by NetworkManager nameserver 9.9.9.9 nameserver 20.1.1.27 How to resolve this issue?

I need your advice. Brief to my question: I got two Linux/Ubuntu 18.04 LTS machines. First one is the host (SSHD) and has a VM machine installed on it (virtual machine's ethernet is configured as NAT: Qemu/KVM - virtualization). Simple SSH connection between host and VM on it in NAT regime works perfectly:

ssh user@ip.address > pass

First machine is connected to router via LAN and second machine is a ssh-client connected to a router via Wifi. machine1(host machine, LAN) > Router mtu 1500 inet 192.168.122.x netmask 255.255.255.0 broadcast 192.168.122.255 ``` P.S. I would prefer not to switch NAT to bridge regime. If you need more data, I will gladly provide you with some more details.

KVM/QEMU libvirt Network "default" NAT Configuration - Guest can connect to host and the host to guest but the guest cannot connect to Internet(no VPN).

$ sudo virsh net-list --all

  Name      State    Autostart   Persistent
  --------------------------------------------
  default   active   yes         yes

$ sudo virsh net-dumpxml default

default
    f1eff8aa-73e7-4573-8d36-571a85714777
    
      
        
      
    
    
    
    
      
        
      
    
  

$ ip address show dev virbr0

    7: virbr0:  mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:73:62:06 brd ff:ff:ff:ff:ff:ff
    inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0
       valid_lft forever preferred_lft forever
   
$ sudo virsh list

    Id   Name   State
    ----------------------
    3    win7   running

$ sudo virsh dumpxml win7 --xpath //interface
  
     
     
     
     
     
     
   

And the guest ip

>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   Link-local IPv6 Address . . . . . : fe80::68b4:6322:b7d9:e1b%13
   IPv4 Address. . . . . . . . . . . : 192.168.122.177
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.122.1

Tunnel adapter isatap.{78EA3F74-7278-48C5-BCA4-1FAC47CD4006}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 

$ sudo iptables-save
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Jul  9 22:26:44 2025
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [131442:47715628]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Wed Jul  9 22:26:44 2025
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Jul  9 22:26:44 2025
*filter
:INPUT ACCEPT [21995:13427635]
:FORWARD ACCEPT [2:120]
:OUTPUT ACCEPT [20003:5430042]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWX - [0:0]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
COMMIT
# Completed on Wed Jul  9 22:26:44 2025
# Generated by iptables-save v1.8.11 (nf_tables) on Wed Jul  9 22:26:44 2025
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [3497:641808]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A POSTROUTING -o enp3s0 -j MASQUERADE
-A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
-A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
COMMIT
# Completed on Wed Jul  9 22:26:44 2025

$ sudo cat /etc/sysctl.conf
vm.swappiness=10
net.ipv4.ip_forward=1

#The host routes
$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    0      0        0 enp3s0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 enp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp3s0
192.168.122.0   0.0.0.0         255.255.255.0   U     0      0        0 virbr0

The guest VM can ping the gateway 192.168.0.1 which is the router's ip and gateway to internet but the VM can not ping the internet such as 8.8.8.8 and for every other VM like GNU/Linux or other, no internet.

I have interfaces enp101s0f0u2u{1..3}, on each of which there is device responding to 192.168.8.1. I want a local processes to be able to reach all of them simultaneously. This is one process, so network namespaces are not an option. I am looking for a solution that doesn't use socat or another proxy that can bind an outgoing interface. I thought of locally making virtual IPs 192.168.8.1{1..3} to point to them. # What I got so far: * Interface enp101s0f0u2ux has ipv4 192.168.8.2x/32. * ip rule 100x: from all to 192.168.8.1x lookup 20x * ip route default dev enp101s0f0u2ux table 20x scope link src 192.168.8.2x (this means the interface and src are correct when chosen automatically) chain output { type nat hook output priority dstnat; policy accept; ip daddr 192.168.8.1x meta mark set 20x counter dnat to 192.168.8.1 } (this means the destination ip is changed to .1, unfortunately I only found a way to do this before routing decision is made, so we need the next thing) * ip rule 110x: from all fwmark 20x lookup 20x (this means that despite dst being 192.168.8.1, it goes to the …ux interface) now the hard part: chain input { type nat hook input priority filter; policy accept; ip saddr 192.168.8.1 ip daddr 192.168.8.2x counter snat to 192.168.8.1x } (this should restore the src of the return packet to .1x, so the socket and application are not astonished) Unfortunately, at this point if I try to curl, tcpdump sees a 192.168.8.21.11111 > 192.168.8.1.80 (SYN) and multiple 192.168.8.1.80 > 192.168.8.21.11111 (SYN-ACK) attempts, but the input chain counter is not hit. However, if I add the seemingly useless chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip daddr 192.168.8.1 counter masquerade } I get 1 packet hitting the input snat rule, and the application gets some data back! However, all the consequent packets from 192.168.8.1 in the flow are dropped. [**Here is a tcpdump and a conntrack**](https://gist.github.com/homeassistant-hacs-m/49216c8f100f75f3701e163954641384) I'm at the end of my rope, been at it for days. There's no firewall/filter happening (which conntrack would be opening for me), I have empty nftables besides the chains I showed here. I cannot understand why the masquerade makes a difference, and in general what goes on in conntrack. (The entry gets created and destroyed twice, and then an entry starting from outside gets created?) Of note is that the entries are not symmetrical, they mention both 192.168.8.1 and 192.168.8.12 in each entry for opposite directions. I especially don't understand how or why in absence of masquerade the returning 192.168.8.1.80 > 192.168.8.21.11111 (SYN-ACK) packets get dropped instead of going to input chain. Would this happen if the application TCP socket did CONNECT and so only wants replies from .11? But shouldn't input be able to intercept before the socket? And I can't snat in prerouting anyway, so where would this have to be done? ## Update: Adding type filter hook output priority raw; policy accept; ip daddr 192.168.8.11 counter notrack makes it stop hitting this counter too: type nat hook output priority dstnat; policy accept; ip daddr 192.168.8.11 meta mark set 201 counter dnat to 192.168.8.1 Does notrack prevent entering nat chains, instead of entering them for all packets and not just first? And so, prevents doing -nat actions altogether?

My home topology: router1 (192.168.1.1) - D-Link dsl2540u server with static IP available from Internet (ADSL via ppoe). 4 LAN ports. ---------- router2 (192.168.1.2) - D-Link DIR-300 with OpenWRT. Plays role of WiFi access point. 4 LAN ports + WAN port.

							 Home PC (connects to router1 via DHCP)
							|				   			
internet ------ router1-----
                            |
							 router2 (OpenVPN server on OpenWRT)

On router1 I set up NAT Virtual Servers and can connect to my router via SSH or OpenVPN (tcp on 443 port) OpenVPN server works fine and all traffic goes via tun interface after connection. OpenVPN server config (if matter):

--script-security 2
mode		server
dev               tun
port              443
proto             tcp

server            10.0.0.0 255.255.255.0
push "redirect-gateway def1"
push "dhcp-option DNS 192.168.1.1" # Change this to your router's LAN IP Address
push "route 192.168.1.0 255.255.255.0" # Change this to your network

client-config-dir ccd
client-to-client
tls-server
dh                /etc/openvpn/dh2048.pem
ca                /etc/openvpn/CA_cert.pem
cert              /etc/openvpn/certs/server.pem
key               /etc/openvpn/keys/server.pem
crl-verify        /etc/openvpn/crl/crl.pem
tls-auth          /etc/openvpn/ta.key 0
#comp-lzo
keepalive         10 120
tun-mtu           1500
mssfix            1450
persist-key
persist-tun
verb              3
log /var/log/openvpn.log

My goal is OpenVPN tunnel with Internet from my home router1. At now I can connect to OpenVPN server but all traffic that goes via tunnel does not reach Internet. Firewall rules on router2 (OpenWRT):

iptables -t nat -A prerouting_wan -p tcp --dport 443 -j ACCEPT
iptables -A input_wan -p tcp --dport 443 -j ACCEPT

iptables -t nat -A prerouting_lan -p tcp --dport 443 -j ACCEPT
iptables -A input_lan -p tcp --dport 443 -j ACCEPT


iptables -I INPUT -i tun+ -j ACCEPT
iptables -I FORWARD -i tun+ -j ACCEPT
iptables -I OUTPUT -o tun+ -j ACCEPT
iptables -I FORWARD -o tun+ -j ACCEPT

It's definitely a problem with routing but I have no enough knowledges to solve it.

I am testing NFtables and am attempting to set up a basic routing firewall on a linux machine with 2 interfaces, ens37 and ens38. Here is the ifconfig output for these 2 interfaces. ens37: flags=4163 mtu 1500 inet 192.168.0.3 netmask 255.255.255.0 broadcast 192.168.0.255 ether 00:0c:29:74:33:e7 txqueuelen 1000 (Ethernet) RX packets 20 bytes 2524 (2.4 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 156 bytes 9952 (9.7 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens38: flags=4163 mtu 1500 inet 192.168.0.4 netmask 255.255.255.0 broadcast 192.168.0.255 ether 00:0c:29:74:33:f1 txqueuelen 1000 (Ethernet) RX packets 147 bytes 9340 (9.1 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 18 bytes 1672 (1.6 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 I am wanting to emulate ens38 being a WAN port, and block all non-lan-initiated traffic that is inbound, but allow LAN traffic outbound. I have these rules set up in /etc/nftables.conf : #!/usr/sbin/nft -f flush ruleset table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy accept; iifname "ens37" accept iifname "ens38" drop } # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection chain forward { type filter hook forward priority 0; policy drop; iifname "ens37" oifname "ens38" accept iifname "ens38" oifname "ens37" ct state related,established accept } } To test if the rules are successful, I am setting up a listener with netcat: nc -lp 80 -s 192.168.0.3 Then I connect from the other interface using netcat: nc 192.168.0.3 80 -s 192.168.0.4 My issue is that these nftables rules are not blocking traffic from the emulated WAN port. The netcat connections work perfectly fine bidirectionally, which is not what I am looking for. If I run nft list table filter, I get the rules I am expecting to see as output. I am new to nftables, how can I get these rules to run against these two interfaces correctly? What is wrong with my current approach?

I'm learning about iptables, firewalling, routing and so on. I'm on Linux, Centos7, and I've set up a local port forwarding to localhost with: firewall-cmd --add-forward-port=port=2023:proto=tcp:toport=22 It is working as expected, trying from another machine. Locally, is not visible. I've tried with netstat and ss, nmap lsof and nc. Nothing, all of them "sees" everything except the 2023, even if it is currently forwarding an ssh session. After much reading, here on stackexchange I found a way to make it visible locally, (from https://unix.stackexchange.com/questions/113521/iptables-redirect-local-request-with-nat) , but actually that is not a solution, it just made me understand why is not visible from local, but I really would like to know if exists a way to check it locally.. Or the only option is the remote connection? Thank you :) Edit: The set up of the test machine is easy, just execute the firewall-cmd line I wrote in this question. No other rules added. Then test it with ssh (ore nmap) from outside: works. Check it from localhost itself: both ssh and nmap gives connection refused. Edit2: *Sorry, I wrote the firewall-cmd line incorrectly with a :toaddr=127.0.0.1 at the end, fixed.*

I am attempting to communicate with devices on my LAN via the internet. I have purchased a static IP for my router. When I log in to my router, the IP address displayed on the router GUI matches the IP address displayed if I search for my IP on the Internet, for example, by going to a "what is my IP" website. My problem is that the connection times out when I attempt to access my router over the Internet. I have tried: 1. When I enter my router's IP, as described above, into my browser, the connection hangs. Note: My browser was not on the same network as my router when I tried this. 2. When I ping my router's IP address using ping my.ip.address.here. This also hangs, reporting 100% packet failure. The result of (2) above inclines me to think something is going awry. Initially, I believed I was behind a CGNAT, such that any incoming request to my IP wouldn't know which of the many routers was mine. After purchasing a static IP, I believed the mapping should be 1-1, and any incoming request should know how to access my router. Can anyone advise what could be preventing connection to my router? ### Additional Info On my router's GUI, under the heading "Traffic Status", there is a subheading "Disabled Interface: WWAN". I cannot seem to find any option on the GUI to alter this, if this is indeed the cause. Following the "help" link to Zyxel's webpage , there are a number of differences between my GUI and what is implied in the instructions. Under "Web Interface Tutorials" is a section "Remote Access from WAN". This section advises navigating to "Maintenance > Remote Management > MGMT Services" within the GUI. However, the "Maintenance" section in my GUI does not contain a "Remote Management" subheading. Is there a means to disable this option and re-enable it? Is it possible for my make and model not to contain this feature, full stop? Any guidance is greatly appreciated. ### Attempt to enable PING Under the "Firewall" section of my router GUI, I have found a "Protocol" and "Access Control" menu. Within the "Protocol" section, I have added a "Protocol Entry":

Service name: Ping
Protocol: ICMP
ICMPtype: 0 /Echo-reply

Then, within the "Access Control" menu, I add a "New Access Control List Rule":

Source IP Address: Any/32
Destination IP Address: Any/32
Service: Ping
Action: ACCEPT

Unfortunately, when I PING my router's IP address, the connection hangs. ### LAN Setup In case it is relevant, my LAN information is listed as:

IP Address: 192.168.1.1
Subnet Mask: 255.255.255.0

Also, I note that my WAN IP is quoted as having a subnet mask of:

255.255.255.248

### Issue setting subnet mask to 0 Within the ACL Rule section of the router GUI, when attempting to allow ping access from the internet to my LAN device, I assume: 1. "Source IP Address" will be the IP address of the device, on the internet initiating the ping request. 2. "Destination IP Address" will be the IP address of the device on my LAN I wish to allow the ping request to be received. If I try to input a "Destination IP" of [LAN.Device.IP.Address]/0, the GUI displays the error message The maximum of prefix length is 32. ### Device details Router model: Zyxel EX3301-T0

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox: - For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces. - Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode (or manual) networking, while VirtualBox supports most/all of the various networking modes even without root privileges. I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind: - VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group? - Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT mode networking? According to the libvirt FAQ , usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those limitations are (other than being restricted to NAT). It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications). - How does the security and performance of the three NAT alternatives (VirtualBox NAT, QEMU/KVM "proper" NAT, QEMU/KVM usermode networking) compare to each other?

I have just been watching a video which explains UDP holepunching. - https://www.youtube.com/watch?v=GfRLNg6DOnI In this video, some processes which create entries in a router NAT table are explained. This got me thinking. What process or event may cause an entry in a routers NAT table to be removed? - Do these entries expire after a certain period of time? (TTL) - Does a "connection closed" type packet typically cause the removal of a NAT table entry? (I don't recall if UDP has this kind of message. TCP does.) - Some other cause? It's easy to see what would create a NAT table entry - a connection from a source IP and port starting to transmit to a remote server via a NAT'ed router. What isn't so obvious is what would remove these entries from a NAT table. Presumably they do not exist forever.

I'm trying to redirect all traffic arriving on the firewall on ports 80 and 443 to 10.133.8.11. I gather from [this](https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks) that NATting in an input chain should be possible. But it seems that dnat is not. What kind of NATting is possible? The reason I am trying to do this using the input chain is because, if I put it in the prerouting chain, all traffic is dnatted, not only traffic destined for the firewall. This is my attempt so far: table inet nat already exists. ``` # nft 'add chain inet nat input { type nat hook input priority -100; }' # nft 'add rule inet nat input tcp dport { 80, 443 } dnat ip to 10.133.8.11' Error: Could not process rule: Operation not supported add rule inet nat input tcp dport { 80, 443 } dnat ip to 10.133.8.11 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ # ``

I have a situation where I've got a target machine behind a standard home router/firewall/NAT configuration (we'll call it target), and a machine with a known public IP address (we'll call it server). From server, I want to SSH into target, for which I **_do_** have credentials. However, the user on target **_does not_** have credentials for server. So, there is no way for a user on target to configure SSH port forwarding on server. If that were the case, they could do a standard remote-port-forward maneuver with ssh -R. While **_I do_** have credentials for target, I **_do not_** have control over its router/firewall/NAT, and I have to operate under the assumption that port 22 is not forwarded to target's NAT IP address. For context, this is a remote-support situation. I am the administrator of all target machines, as well as server. The user of any given target does not have credentials, they are logged in automatically on boot. They have no control over their network. The only thing they can do, if support is needed, is run a shortcut that executes a script that I write. I'd like that script to do something to allow me to log in via ssh. It is totally fine for me to do whatever is needed on server to make that happen. Given the number of targets already in the field, collecting/maintaining a public ssh key from all of them on server is not feasible, and would still require an associated user account on server. I've come up with three ideas: ### Idea 1: Temporary users (I hate it) One thing I could do is create a new user on server, give the credentials to someone at target, who can then set up an SSH remote port on server, which I can then use to log in on target. Once I've done what I need to do, I can delete that user entirely from server. ### Idea 2: Some kind of proxy (I have no idea how to do it) I haven't been able to wrap my brain around it yet, but using all of the SSH tricks like port forwarding, proxies, nc, etc., it seems like I should be able to do something where I tell target to connect to a port on server, and somehow turn that into a tunnel through which I can log into target. This idea is half-baked at best. The only way I can imagine without someone at target having credentials for server is to do something like open a port on server, have target connect to that port with nc, and somehow use that to go the other direction and connect to target from server via SSH. ### Idea 3: Wireguard (Need to communicate target's public key to server) Just putting the two on a VPN would get the job done here. Wireguard would be easy, as long as I have a reasonable way of sharing the public keys between target and server. It's easy in one direction (deploying server's public key to target), but due to the nature of the target device and its users, getting the key from them is possible but not terribly user-friendly. So, specifically, I'm interested in thoughts on idea 2. I can make 1 or 3 work, but it seems like I'm missing something that would make it feasible to just ssh into target from server. Thoughts? Thanks!

I have a very poorly designed appliance which advertises wifi. But what it actually delivers is a device that can only create a hotspot, and the hotspot name is fixed. The address is also fixed. The whole thing was so ill thought out that the manual does not even bother to tell you how to reset the wifi password and it is easy to google up the default password. I don't think that the device has a default route. You are expected to drop your normal IP connection, and connect to their hotspot while you use the appliance. technically, yes, wifi, but not so useful. This device is a laser engraver (yes, take control of it, blind my cat and sett my house on fire). It sits next to my 3d printer. I did change the password. I had planned on deploying a raspberry pi to manage the 3d printer, so, why not use the raspberry pi to connect my two wifi nets? I don't need to access the device from the outside internet, but it would be nice to access it transparently from my home net. My private addresses are configured as 10.0/16 with DHCP handling 10.0.0/24. So I added a second wifi adapter to the pi (wlan1). wlan0 is 10.0.0.119 and also 10.0.100.100. My goal would be to accept incoming traffic to 10.0.0.119 and just handle it normally, as local traffic. Any traffic arriving at wlan0/10.0.100.100 should be translated such that it is destined to 192.168.4.1 and appears to come from 192.168.4.4. (No default route on the appliance means it can only talk to a local address.) Response traffic will all come from 192.168.4.1 (the appliance), and should be responding to 192.168.4.4. I believe that all connections will be inbound but if traffic originates on the 192.168.4/24 net and arrives at the wlan1 interface I feel like I should just go ahead and route it and track it. Or not, this is a nice-to-have, not essential. At this point I feel that this is an application for iptables, I'm just unsure how to do it. I need to track inbound translation to get the packets back to the right place. and outbound NAT normally. I want to have two private network addresses on wlan0 of the pi so that I can differentiate between local and not local traffic. I am not sure a DMZ setup will work because the appliance can only respond to the local net, and no default route. I think that the same is true for router translation. I have not messed with this stuff for 20+ years, used to know it. This is my second night researching it and I can't find a clear answer, writeups that I do find seem to be off point, obsolete, or s combination thereof. I can't figure out where to bite the elephant. I would appreciate a pointer to a clear current writeup. Thanks in advance!

I'm trying to modify ICMP time-exceeded responses (type 11) for traceroute packets, but only when they're responses to traceroute probes from a specific VM. My setup is: - Host OS running Ubuntu with nftables - Guest VM running Ubuntu, connected via bridge interface "spod" - Bridge interface IPs: Host 137.205.192.1, VM 137.205.192.5 - Host's internet interface: wlo1 (192.168.110.187), gateway 192.168.110.1 - VM traffic is masqueraded via the host Current working rules (but these modify ALL type 11 packets, not just those for VM):

nft add table ip icmp_mod
nft add chain ip icmp_mod prerouting { type filter hook prerouting priority -300; }
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP1 counter snat ip to 146.97.180.159
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP2 counter snat ip to 146.97.35.246
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP3 counter snat ip to 146.97.35.18
nft add rule ip icmp_mod prerouting ip protocol icmp icmp type time-exceeded ip saddr $HOP4 counter snat ip to 146.97.35.197

When running traceroute from both host and VM to 1.1.1.1, the ICMP type 11 responses look identical in the prerouting chain. I need to modify these rules to only match and modify ICMP type 11 packets that are responses to the VM's traceroute probes, not the host's probes. What's the correct nftables syntax to examine and match based on the final destination of the packets?

I have a fairly standard debian 10 system set up as a router (echo 1 > /proc/sys/net/ipv4/ip_forward) with one WAN (=enp11s0) interface and one DMZ (=enp10s0) interface. The WAN interface has a couple of public ip addresses tied to it, added with e.g ip addr add 81.2.3.4/25 brd + dev enp11s0 ip addr add 81.2.3.5/25 brd + dev enp11s0 ip addr add 81.2.3.6/25 brd + dev enp11s0 ip addr add 81.2.3.7/25 brd + dev enp11s0 The DMZ interface has one local ip assigned, 10.2.10.10. The server names, zz, zz-dmz etc below are all declared in /etc/hosts. I have set up NFT to do DNAT in the prerouting hook: flush ruleset define DMZ = enp10s0 define WAN = enp11s0 define WAN_NET = 81.2.3.0/25 define wan2dmz_map = { www : www-dmz, zz : zz-dmz, dns0 : dns0-dmz, dns1 : dns1-dmz, drift78 : drift78-dmz } define dmz2wan_map = { www-dmz : www, zz-dmz : zz, dns0-dmz : dns0, dns1-dmz : dns1, drift78-dmz : drift78 } table ip fail2ban { chain input { type filter hook forward priority 0; } } table ip global { map ip_mapWD { type ipv4_addr : ipv4_addr elements = $wan2dmz_map } map ip_mapDW { type ipv4_addr : ipv4_addr elements = $dmz2wan_map } # Accepted WAN ports chain SRV_ACCEPT { ip daddr www-dmz tcp dport {http,https} counter accept ip daddr zz-dmz tcp dport {http,https,smtp,pop3,imap2,submission,imaps,465} accept ip daddr drift78-dmz accept ip daddr dns0-dmz tcp dport 53 accept ip daddr dns1-dmz tcp dport 53 accept } chain input { type filter hook input priority 0; policy drop; iif {lo,$DMZ} accept ct state established,related accept ct state invalid drop ct status dnat accept ip saddr 127.0.0.0/8 drop ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop ip frag-off & 0x1fff != 0 counter drop tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, router-solicitation, router-advertisement, tr-problem } accept } chain output { type filter hook output priority 0; } chain forward { type filter hook forward priority 0; policy drop; iif {lo, $DMZ} accept ct state established,related accept ct state invalid drop ct status dnat accept ip protocol icmp icmp type echo-request limit rate over 1/second burst 5 packets drop ip frag-off & 0x1fff != 0 counter drop tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, router-solicitation, router-advertisement, tr-problem } accept # Accept selected dest. ip/ports from WAN iif $WAN jump SRV_ACCEPT # VPN ip saddr 10.8.0.0/8 iifname tun0 accept # Log denied on WAN iif $WAN log prefix "[NFT] WAN: " } chain prerouting { type nat hook prerouting priority -100; policy accept; # Hairpin iif {lo,$DMZ} fib daddr type local dnat to ip daddr map @ip_mapWD # From WAN, change dest. to DMZ iif $WAN ip daddr $WAN_NET counter dnat to ip daddr map @ip_mapWD } chain postrouting { type nat hook postrouting priority 100; oif {tun0,$DMZ} counter masquerade; } } (zz is a public ip for the server zz, and zz-dmz is a private ip on the 10.2.10.x net). This works: I can reach zz-dmz from the WAN side by probing zz. I haven't actually tried the hairpin yet. Now the problem: Local services on the debian 10 machine (e.g exim4) looks up the public ip ("zz") as mx for its domain and tries to connect to its public ip, but the packets does not get re-routed to zz-dmz. Instead they get stuck on the lo interface, bouncing off from the primary ip address on the WAN interface to the public ip "zz" which (obviously) has no service responding locally. This can be seen by logging in to the debian router and typing root@opax:~/firewall# telnet zz 25 Trying 81.2.3.4... telnet: Unable to connect to remote host: Connection refused Tcpdump shows the packest on lo. I thought the rule iif {lo,$DMZ} fib daddr type local dnat to ip daddr map @ip_mapWD would replace the destination ip on lo as well and reroute them to $DMZ? What am I missing?

Recently, I added several new iptables (RE: code snippet below) rules to route traffic through my VPN (0x1000/0x1000) for a specific destination (172.67.168.48) over port 443. The new rules NAT over the VPN as desired, but they've created an undesired effect causing other HTTP requests, unrelated to the aforementioned destination, to produce an error response 400 Bad Request.

#!/bin/sh

# Create the RPDB rules
ip rule add from 0/0 fwmark "0x1000/0x1000" table ovpnc1 prio 9993        # VPN 1 fwmark

iptables -t mangle -A PREROUTING -i br0 -p tcp -d 172.67.168.48 --dport 443 -j MARK --set-mark 0x1000/0x1000
iptables -t nat -A PREROUTING -i br0 -p tcp -m mark --mark 0x1000/0x1000 -j DNAT --to-destination 172.67.168.48:443

Any idea why other HTTP requests would be affected (400 Bad Request) by the new NAT rules when the destination address and port are clearly specified?

I have a problem with my nftables setup. I have two tables, each one has a chain with the same hook but a different name and priority. The tables are in different files which are loaded by an include argument. Because of the priority, I would think that the VPN-POSTROUTING chain will be executed before the INTERNET chain. But in my setup, the INTERNET chain is executed first.

table ip nat {
        chain INTERNET {
                type nat hook postrouting priority srcnat + 1; policy accept;
                oifname br2 masquerade
        }
}

table ip vpn {
        chain VPN-POSTROUTING {
                type nat hook postrouting priority srcnat - 1; policy accept;
                oifname br2 ip saddr 10.0.0.0/24 ip daddr 192.168.0.0/24 accept
        }
}

where is my mistake? Edit: I changed the rules and add all chains to the same table, with the same result. In the next step, I followed A.B.'s advice and add counters and logs to the rules. The order of the chains corresponds to the priority, but the accept rule for the VPN is not triggered. When I add the VPN accept rule to the INTERNET chain, right before the masquerade rule, it works like expected.

I posted this question over in the Server Fault boards but haven't had any response on it, hoping to get some information by posting it over here. I'm setting up a Fedora VM using HyperV on a Windows 10 machine. I've got it installed, the VM boots up just fine but I am not able to connect to the internet from the VM via the host computer. Here's the setup: Host Machine: Windows 10 enterprise 22H2 OS Build: 19045.5011 Windows Feature Experience Pack 1000.19060.1000.0 HyperV Manager: v10.0.19041.1 The host is on a company network behind a proxy. VM Details: Fedora Workstation version 40 (workstation edition) platform_id: platform:f40 When configuring the network adapter for the VM I followed this set of instructions (I know this is meant for using Hyper-V to set up a virtual Windows machine and not a Linux one but I figured if I followed the same principals it would work. Plus, it's the only thing I could really find that is close to my situation). After following these instructions I have the Internal Virtual Switch created, the Fedora VM running in Hyper-V is set up with that switch, the host machine has a NetIPAddress on the new NAT network and I can ping the host from the VM and vice versa. However, I am not able to access the internet from the Fedora VM. Opening a browser (Firefox) in Fedora and trying to browse to the internet produces an error in the browser saying "We're having trouble finding that site". In troubleshooting the connectivity of both the Fedora HyperV VM and the host windows computer, here's a summation of what I've found: 1. From inside the Fedora VM I can ping the host IP Address I set up for the new NAT network using the IP Address 2. From inside the Fedora VM, using the respective IP Addresses I can ping the DNS Server, the proxy server and the default gateway that the host computer is pointing to. I can also ping another computer on the network the host computer is on. But I can't ping any of these using the URLs for these devices. 3. From inside the Fedora VM I cannot ping 8.8.8.8 or https://www.google.com/ 4. From inside the Fedora VM I cannot browse to the internet using a web browser. 5. From the host Windows machine I can ping the Fedora VM IP Address on the NAT network I created to connect the VM and the host. 6. From the host Windows machine I can ping the DNS Server, the proxy server, the default gateway and another computer on the network using both their IP Addresses/URLs. 7. From the host Windows machine I cannot ping 8.8.8.8 or https://www.google.com/ 8. From the host Windows machine I can browse to the internet using a web browser I know that it is possible for me to have a Linux VM set up on the host computer on this specific network and have it be able to browse to the internet because I've been able to get one set up using Oracle Virtual Box, but I can't browse to the internet using a Linux VM set up using HyperV (which in my case I need to use HyperV instead of Oracle Virtual Box). I don't think there's something different between HyperV and Oracle VB that would prevent being able to browse to the internet from the VM in HyperV but allow internet access from Oracle VB, but I guess it could be possible. I don't know if it's having trouble because the host computer is on a work network and as such is behind a proxy or if there's something I don't have correctly configured in the Fedora VM. From everything I've read about NAT networks with VMs like this, packets should be routed from the VM to the default gateway (in this case the IP Address I set up for my host machine on the NAT Network) and then the packets should go out from the host machine. Here's the output of ipconfig /all on my host machine, the details of the new virtual switch in the red box. And here's the output of ifconfig on the Fedora VM: Here's the output of pinging public servers by name and IP address from the host Windows machine Here's the output of the Profile 1.nmconnection file on the Fedora HyperV VM I'm new to Linux configuration and have exhausted all of my knowledge I can bring to the table in trying to troubleshoot this issue. It seems to me that the issue is that the Linux VM inside HyperV isn't able to resolve URLs, and I've tried to research routing for Linux machines as well as VMs but haven't come across anything that I can understand that would apply to this situation, but that doesn't mean there isn't something out there. There probably is, either I didn't find it or I did find it but didn't understand it. If anyone would help me figure out what I need to do to be able to access the internet from this Fedora VM running in Hyper-V on my Windows 10 host machine I will greatly appreciate it.

Recently I am learning iptables, I know there are 5 independent tables, two of them are filter and nat tables. And I sometimes will look at netatat -r or route table, I know ip command can modify this routing table. I am a bit confused about these 2 kinds of tables: 1. routing table 2. nat and filter tables They all can do something on packet traffic and looks they can do similar things, can someone tell me what are the differences? Thanks in advance.

so i have an OVH dedicated server, i installed Proxmox on it. I created 2 VMs, one freebsd VM as a firewall / NAT gateway and one Debian server in the same lan as the firewall with the FreeBSD as Gateway. On the FreeBSD VM there are 2 net cards, one for the WAN, one for the LAN. From the FreeBSD i have internet access, i can ping, telnet etc ... all is working from the Firewall / Gateway. From the Debian server i can ping the internet, i can ping 8.8.8.8. I have multiples problems : - From the Debian server, the command telnet 1.1.1.1 53 but telnet 8.8.8.8 53 doesn't works (so i configured /etc/resolv.conf with 1.1.1.1 to be able to use domains but this problem is pretty weird) - From the Debian server, the command telnet google.com 80 doesn't works (it works from the FreeBSD firewall) - When i try to connect from my pc with SSH or telnet ip 2223 on the Debian server, i see the packets with tcpdump (on the Debian server) but i have a timeout on the command Here is what i see on my logs when i do the command doas tcpdump -n -e -ttt -i pflog0 :

(telnet 8.8.8.8 53)  00:00:00.000010 rule 19/0(match): pass out on vtnet1: 91.121.40.45.52818 > 8.8.8.8.53: Flags [S], seq 688104303, win 64240, options [mss 1460,sackOK,TS val 3854927016 ecr 0,nop,wscale 7], length 0
(telnet 1.1.1.1 53)  00:00:00.000010 rule 19/0(match): pass out on vtnet1: 91.121.40.45.53578 > 1.1.1.1.53: Flags [S], seq 537632035, win 64240, options [mss 1460,sackOK,TS val 3337238453 ecr 0,nop,wscale 7], length 0
(telnet google.com 80)  00:00:00.000004 rule 19/0(match): pass out on vtnet1: 91.121.40.45.60204 > 142.250.178.14.80: Flags [S], seq 556080316, win 64240, options [mss 1460,sackOK,TS val 2506116294 ecr 0,nop,wscale 7], length 0
(when i connect from the client to the debian server on ssh)  

00:00:01.249859 rule 18/0(match): pass in on vtnet1: my ip.63990 > 192.168.10.10.2223: Flags [S], seq 2851206258, win 64240, options [mss 1460,sackOK,TS val 3746771 ecr 0,nop,wscale 7], length 0
 00:00:00.000005 rule 17/0(match): pass out on vtnet0: my ip.63990 > 192.168.10.10.2223: Flags [S], seq 2851206258, win 64240, options [mss 1460,sackOK,TS val 3746771 ecr 0,nop,wscale 7], length 0

Here are my rules :

## Macros
ext_if = "vtnet1"     # External interface (WAN)
int_if = "vtnet0"     # Internal interface (LAN)

ext_ip = "91.121.40.45"
int_ip = "192.168.10.1"

# Define the internal server IP
internal_server = "192.168.10.10"
int_network = "192.168.10.0/24"

# Services allowed for outgoing traffic
tcp_pass_out = "{ bootpc, bootps, dhcpv6-client, dhcpv6-server, domain, https, ipp, nicname, ntp, ssh, www, 6667, 6697 }"
udp_pass_out = "{ bootpc, bootps, dhcpv6-client, dhcpv6-server, domain, nicname, ntp }"
icmp_ok_types = "{ echoreq, unreach }"

# Tables for allowed IPs for SSH and FTP access
table  persist file "/etc/hh.d/acls/hh_home.txt"
table  persist file "/etc/hh.d/acls/hh_home.txt"

table  const { 10/8, 172.16/12, 192.168/16 }

## Let free traffic on the loopback interface lo0
set skip on lo0

## Normalization and reassembly of packets
scrub in all

## Translation (NAT for internal network)
nat on $ext_if from $int_network to any -> ($ext_if)
## Port Redirection (for SSH and FTP access)
rdr on $ext_if proto tcp from  to $ext_if port 2223 -> $internal_server
rdr on $ext_if proto tcp from  to $ext_if port {20, 21, 10000:19999} -> $internal_server

## Filtering

# Default policy: block everything
#block all

### Filters ###
# Permit any packets from internal network to any
pass in on $int_if inet from $int_network to any keep state

## Allow inbound SSH connections from allowed IPs
##Port 2222 firewall freebsd
pass in on $ext_if proto tcp from  to $ext_if port 2222 keep state
##Port 2223 web server
pass in on $ext_if proto tcp from  to $ext_if port 2223 keep state

## Allow inbound FTP connections (ports 20, 21, passive range 10000-19999) from allowed IPs
pass in on $ext_if proto tcp from  to $ext_if port {20, 21, 10000:19999} keep state

## Allow HTTP (80) and HTTPS (443) traffic for everyone
pass in on $ext_if proto tcp from any to $ext_if port { 80 443 } flags S/SA keep state

## Allow DNS and NTP traffic
pass in on $ext_if proto { tcp udp } from any to $ext_if port { domain ntp } keep state

pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

# Permit and log all packets from clients in private network through NAT
pass in log on $int_if all
pass out log on $int_if all
pass in log on $ext_if all
pass out log on $ext_if all

Thank you in advance for your advices / help ! Regards, Maxime