vgk/ungleich-staticcms
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

add draft of nftables article

Browse source
This commit is contained in:
Nico Schottelius 2019-11-07 17:34:56 +01:00
commit 65259f4c76
1 changed files with 86 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

86
content/u/blog/nftables-magic-redirect-all-ports-to-one-port/contents.lr Normal file
View file

@ -0,0 +1,86 @@
title: Firewall magic with nftables: how to redirect all ports to one port
---
pub_date: 2019-11-07
---
author: ungleich
---
twitter_handle: ungleich
---
_hidden: yes
---
_discoverable: no
---
abstract:
How to redirect traffic from all (tcp/udp) ports to another port.
And why one would want to do that...
---
body:
## The problem
Let's say you have a service running on a specific port, for instance
[wireguard](https://www.wireguard.com/) on **port 51820**, but you
would like to accept packets on **any** port and have it received by
your application.
As you might know we are [big fans of
nftables](https://ungleich.ch/de/cms/ungleich-blog/2018/08/19/iptables-vs-nftables/),
so we will use nftables to achieve this goal.
## Why would one want this?
There are a variety of reasons for doing this, including the
"because we can" case. However at
[ungleich](https://ungleich.ch) we have a real world use case: We
provide an [IPv6 VPN](https://ipv6vpn.ch) as a service to our
customers. This service is based on wireguard and is configured to
listen on port 51820.
Sometimes networks (like hotels or airports) block or filter
outgoing traffic and thus prevent our customers to be connected by
IPv6. Obviously this is not what we or our customers want.
Typically these networks will still allow outgoing traffic on
*some ports*, but we don't know *which ports*.
Thus we will enable wireguard on *all ports*. Simple idea, isn't it?
## How it works
To achieve our goal we need to tell nftables to take the traffic that
goes to any port that is not our target port, to be redirected to our
target part. If you have other services running on the host, you might
want to adjust this logic.
In nftables we have a lot of freedom naming and creating our own
chains
TO FIX HERE
ALSO maybe include only incoming packets modification or is it part of prerouting?!
```
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
udp dport != 51820 jump vpnredirect
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
chain vpnredirect {
udp dport != 51820 redirect to :51820
}
}
```
## Other programs!
## List of sites
You find the current list of sites on
[via-ipv6.com](https://via-ipv6.com). If you would like to have
another site added, just ping me on [IPv6.chat](https://IPv6.chat).