diff --git a/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr b/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr index b77d5eb..96c131c 100644 --- a/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr +++ b/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr @@ -6,9 +6,9 @@ author: ungleich --- twitter_handle: ungleich --- -_hidden: yes +_hidden: no --- -_discoverable: no +_discoverable: yes --- abstract: How to redirect traffic from all (tcp/udp) ports to another port. @@ -16,111 +16,83 @@ And why one would want to do that... --- body: -## The problem - -Let's say you have a service running on a specific port, for instance -[wireguard](https://www.wireguard.com/) on **port 51820**, but you -would like to accept packets on **any** port and have it received by -your application. - -As you might know we are [big fans of -nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/), -so we will use nftables to achieve this goal. - -## Why would one want this? - -There are a variety of reasons for doing this, including the -"because we can" case. However at -[ungleich](https://ungleich.ch) we have a real world use case: We -provide an [IPv6 VPN](https://ipv6vpn.ch) as a service to our -customers. This service is based on wireguard and is configured to -listen on port 51820. +## Motivation Sometimes networks (like hotels or airports) block or filter -outgoing traffic and thus prevent our customers to be connected by -IPv6. Obviously this is not what we or our customers want. +outgoing traffic and thus prevent you to connect to where you want to +connect to. +Here at [ungleich](https://ungleich.ch) we are travelling quite a lot, +but we always want to be able to access the servers of +[Data Center Light](https://datacenterlight.ch), so that we can +maintain them from everywhere in the world, so we needed a way to +ensure that we have some way of connecting to them, even if the +network disallows traffic to the ssh port (tcp/22). + +## A solution based on nftables + +As you might know we are +[big fans of +nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/) +and this hotel/airport problem motivated us to once again checkout +what we can achieve just with nftables. Typically these networks will still allow outgoing traffic on *some ports*, but we don't know *which ports*. -Thus we will enable wireguard on *all ports*. Simple idea, isn't it? +So instead of guessing which port we should bind SSH to, +we will just use nftables to make ssh available on +*all TCP ports*. Simple idea, isn't it? ## How it works To achieve our goal we need to tell nftables to take the traffic that goes to any port that is not our target port, to be redirected to our target part. If you have other services running on the host, you might -want to adjust this logic. - -In nftables we have a lot of freedom naming and creating our own -chains - -TO FIX HERE - -ALSO maybe include only incoming packets modification or is it part of prerouting?! +want to adjust this logic though (see below). The following +nftables snippet will already do the job: ``` -table ip nat { - chain prerouting { - type nat hook prerouting priority filter; policy accept; - udp dport != 51820 jump vpnredirect - } - - chain postrouting { - type nat hook postrouting priority srcnat; policy accept; - } - - chain vpnredirect { - udp dport != 51820 redirect to :51820 - } -} -``` - - -## More sophisticated - -``` -[17:51:31] vpn-2a0ae5c1:~# cat /etc/nftables.conf -#!/usr/sbin/nft -f - flush ruleset table ip nat { chain prerouting { - type nat hook prerouting priority -101; + type nat hook prerouting priority 0; - # SSH works - #tcp dport != 22 redirect to 22 - - # wireguard doesn't - #udp dport != 51820 redirect to 51820 - # - tcp dport != 22 jump port_redirect - udp dport != 51820 jump port_redirect - } - - chain port_redirect { - counter comment "redirecting" - log prefix "port redir: " - - # SSH works tcp dport != 22 redirect to 22 - - # wireguard doesn't - udp dport != 51820 redirect to 51820 - } - chain postrouting { - type nat hook postrouting priority -101; - counter comment "other side nat" - log prefix "port post-redir: " - } -} + type nat hook postrouting priority 0; + } + ``` +You can save this as nftables.conf and run -## List of sites +``` +nft -f nftables.conf +``` -You find the current list of sites on -[via-ipv6.com](https://via-ipv6.com). If you would like to have -another site added, just ping me on [IPv6.chat](https://IPv6.chat). +to see it working on your system. + +After applying this, we can use `ssh -p ` to choose any port and +connect to our server: + +``` +ssh -p 80 serverX.placeY.ungleich.ch +``` + +## Using specific ranges or ports only + +If you have other services running on the system, you might want to +restrict the ports to be used for ssh. You can either use **sets** +(nftables syntax: *{ a, b, c, ... }*) or **intervals** +(nftables syntax: *X - Y*) as follows. + +``` + tcp dport 2000-4000 redirect to :ssh + tcp dport {23, 25, 80, 443 } redirect to :ssh +``` + +## More of it? + +If you are interested in more of this, we invite you to join our +[open infrastructure chat on chat.ungleich.ch](https://chat.ungleich.ch).