add draft of nftables article
This commit is contained in:
Nico Schottelius
parent
3bfda08a92
commit
65259f4c76
1 changed files with 86 additions and 0 deletions
|
|
@ -0,0 +1,86 @@
|
||||||
|
title: Firewall magic with nftables: how to redirect all ports to one port
|
||||||
|
---
|
||||||
|
pub_date: 2019-11-07
|
||||||
|
---
|
||||||
|
author: ungleich
|
||||||
|
---
|
||||||
|
twitter_handle: ungleich
|
||||||
|
---
|
||||||
|
_hidden: yes
|
||||||
|
---
|
||||||
|
_discoverable: no
|
||||||
|
---
|
||||||
|
abstract:
|
||||||
|
How to redirect traffic from all (tcp/udp) ports to another port.
|
||||||
|
And why one would want to do that...
|
||||||
|
---
|
||||||
|
body:
|
||||||
|
|
||||||
|
## The problem
|
||||||
|
|
||||||
|
Let's say you have a service running on a specific port, for instance
|
||||||
|
[wireguard](https://www.wireguard.com/) on **port 51820**, but you
|
||||||
|
would like to accept packets on **any** port and have it received by
|
||||||
|
your application.
|
||||||
|
|
||||||
|
As you might know we are [big fans of
|
||||||
|
nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/),
|
||||||
|
so we will use nftables to achieve this goal.
|
||||||
|
|
||||||
|
## Why would one want this?
|
||||||
|
|
||||||
|
There are a variety of reasons for doing this, including the
|
||||||
|
"because we can" case. However at
|
||||||
|
[ungleich](https://ungleich.ch) we have a real world use case: We
|
||||||
|
provide an [IPv6 VPN](https://ipv6vpn.ch) as a service to our
|
||||||
|
customers. This service is based on wireguard and is configured to
|
||||||
|
listen on port 51820.
|
||||||
|
|
||||||
|
Sometimes networks (like hotels or airports) block or filter
|
||||||
|
outgoing traffic and thus prevent our customers to be connected by
|
||||||
|
IPv6. Obviously this is not what we or our customers want.
|
||||||
|
|
||||||
|
Typically these networks will still allow outgoing traffic on
|
||||||
|
*some ports*, but we don't know *which ports*.
|
||||||
|
Thus we will enable wireguard on *all ports*. Simple idea, isn't it?
|
||||||
|
|
||||||
|
## How it works
|
||||||
|
|
||||||
|
To achieve our goal we need to tell nftables to take the traffic that
|
||||||
|
goes to any port that is not our target port, to be redirected to our
|
||||||
|
target part. If you have other services running on the host, you might
|
||||||
|
want to adjust this logic.
|
||||||
|
|
||||||
|
In nftables we have a lot of freedom naming and creating our own
|
||||||
|
chains
|
||||||
|
|
||||||
|
TO FIX HERE
|
||||||
|
|
||||||
|
ALSO maybe include only incoming packets modification or is it part of prerouting?!
|
||||||
|
|
||||||
|
```
|
||||||
|
table ip nat {
|
||||||
|
chain prerouting {
|
||||||
|
type nat hook prerouting priority filter; policy accept;
|
||||||
|
udp dport != 51820 jump vpnredirect
|
||||||
|
}
|
||||||
|
|
||||||
|
chain postrouting {
|
||||||
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
|
}
|
||||||
|
|
||||||
|
chain vpnredirect {
|
||||||
|
udp dport != 51820 redirect to :51820
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
## Other programs!
|
||||||
|
|
||||||
|
|
||||||
|
## List of sites
|
||||||
|
|
||||||
|
You find the current list of sites on
|
||||||
|
[via-ipv6.com](https://via-ipv6.com). If you would like to have
|
||||||
|
another site added, just ping me on [IPv6.chat](https://IPv6.chat).
|
||||||
Loading…
Reference in a new issue