diff --git a/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr b/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr new file mode 100644 index 0000000..810f5ff --- /dev/null +++ b/content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr @@ -0,0 +1,86 @@ +title: Firewall magic with nftables: how to redirect all ports to one port +--- +pub_date: 2019-11-07 +--- +author: ungleich +--- +twitter_handle: ungleich +--- +_hidden: yes +--- +_discoverable: no +--- +abstract: +How to redirect traffic from all (tcp/udp) ports to another port. +And why one would want to do that... +--- +body: + +## The problem + +Let's say you have a service running on a specific port, for instance +[wireguard](https://www.wireguard.com/) on **port 51820**, but you +would like to accept packets on **any** port and have it received by +your application. + +As you might know we are [big fans of +nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/), +so we will use nftables to achieve this goal. + +## Why would one want this? + +There are a variety of reasons for doing this, including the +"because we can" case. However at +[ungleich](https://ungleich.ch) we have a real world use case: We +provide an [IPv6 VPN](https://ipv6vpn.ch) as a service to our +customers. This service is based on wireguard and is configured to +listen on port 51820. + +Sometimes networks (like hotels or airports) block or filter +outgoing traffic and thus prevent our customers to be connected by +IPv6. Obviously this is not what we or our customers want. + +Typically these networks will still allow outgoing traffic on +*some ports*, but we don't know *which ports*. +Thus we will enable wireguard on *all ports*. Simple idea, isn't it? + +## How it works + +To achieve our goal we need to tell nftables to take the traffic that +goes to any port that is not our target port, to be redirected to our +target part. If you have other services running on the host, you might +want to adjust this logic. + +In nftables we have a lot of freedom naming and creating our own +chains + +TO FIX HERE + +ALSO maybe include only incoming packets modification or is it part of prerouting?! + +``` +table ip nat { + chain prerouting { + type nat hook prerouting priority filter; policy accept; + udp dport != 51820 jump vpnredirect + } + + chain postrouting { + type nat hook postrouting priority srcnat; policy accept; + } + + chain vpnredirect { + udp dport != 51820 redirect to :51820 + } +} +``` + + +## Other programs! + + +## List of sites + +You find the current list of sites on +[via-ipv6.com](https://via-ipv6.com). If you would like to have +another site added, just ping me on [IPv6.chat](https://IPv6.chat).