G'day,
Embarking on a thrilling nftables adventure for the first time and hoping for a lifeline here! In the labyrinth of my setup:
I have an IP Address from the hosting service takes a scenic route through to Proxmox, makes a pit stop at pfSense (VM), and finally reaches the destination – Webhosting (another VM).
Behold, my nftables masterpiece:
Currently, when I add the rule "tcp dport 80 dnat $vm_254:80" or 443, I lose internet connectivity for the VMs, but gain access to the website. Conversely, if I use "tcp dport { 80, 443 } accept," I regain internet access on the VMs but lose access to the website.
Notes: Network ConfigurationAny sage advice or witty insights to navigate this digital safari would be greatly appreciated!
Embarking on a thrilling nftables adventure for the first time and hoping for a lifeline here! In the labyrinth of my setup:
I have an IP Address from the hosting service takes a scenic route through to Proxmox, makes a pit stop at pfSense (VM), and finally reaches the destination – Webhosting (another VM).
Behold, my nftables masterpiece:
Code:
#!/usr/sbin/nft -f# Flush existing rulesetflush ruleset############################# DEFINES############################# Interfacesdefine wan0 = eth0# Host Portsdefine port_ssh = 22define port_proxmox = 8006define port_pfsense = 10543 # Custom GUI Portdefine port_walldns = 53 # Lab VMdefine port_wallsdns = 853 # Lab VM# VM Portsdefine port_labssh = 2222define port_http = 80define port_https = 443# NAT Networksdefine lan0 = 172.16.23.0/24define lan1 = 172.16.24.0/24define lan2 = 172.16.25.0/24# Virtual Machine IPsdefine vm_254 = 172.16.23.254 # pfSensedefine vm_231 = 172.16.24.231 # Lab Website############################# FILTER TABLE (main table)############################table inet filter { set tcp_accepted { type inet_service; flags interval; # Allowed TCP Ports elements = { $port_proxmox, $port_ssh, # Proxmox $port_labssh, $port_http, $port_https, # Lab $port_pfsense, $port_walldns, $port_wallsdns, # pfSense } } set udp_accepted { type inet_service; flags interval; # Allowed UDP Ports elements = { http, https, $port_walldns, $port_wallsdns, } } chain input { type filter hook input priority 0; policy drop; # Allow established and related connections ct state {established, related} accept # Drop invalid connections ct state invalid drop # Accept loopback connections iifname lo accept # Accept ICMP traffic ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept # Allow ICMP for IPv6 # Allow defined ports tcp dport @tcp_accepted accept udp dport @udp_accepted accept # Allow incoming traffic on port 80 from Cloudflare IP tcp dport 80 ip saddr 104.21.76.199 accept # Allow incoming traffic on port 443 from Cloudflare IP tcp dport 443 ip saddr 104.21.76.199 accept # Reject all other traffic with port-unreachable ICMP message reject with icmpx type port-unreachable } chain forward { type filter hook forward priority 0; policy drop; # Allow outgoing packets via wan oifname eth0 accept iifname eth0 accept # Allow incoming packets via wan for established connections iifname eth0 ct state { related, established } accept # Drop all other incoming packets on wan interface iifname eth0 drop } chain output { type filter hook output priority 0; policy accept; # Allow all outgoing connections oifname lo accept }}############################# NAT TABLE############################table ip nat { chain prerouting { type nat hook prerouting priority 0; # Port Forwarding tcp dport 2222 dnat $vm_254:2222 tcp dport 2223 dnat $vm_254:2223 tcp dport 10543 dnat $vm_254:10543 tcp dport 53 dnat $vm_254:53 tcp dport 853 dnat $vm_254:853 tcp dport { 80, 443 } accept } chain postrouting { type nat hook postrouting priority 0; # Route outgoing packets from LAN networks over wan and masquerade with the public IP #ip saddr { $lan0, $lan1 } oifname $wan0 masquerade ip saddr { $lan0, $lan1 } oifname $wan0 masquerade }}Notes: Network Configuration
Code:
#/etc/network/interfaces.d/50-cloud-init:# loopbackauto loiface lo inet loopback dns-nameservers 1.1.1.1 8.8.8.8 dns-search datapacket.com# public IP addressauto eth0iface eth0 inet static address 149.88.106.191/25 gateway 149.88.106.254Code:
#/etc/network/interfacesauto loiface lo inet loopbackiface eth0 inet manualauto vmbr0iface vmbr0 inet static address 172.16.23.1/24 bridge-ports none bridge-stp off bridge-fd 0auto vmbr1iface vmbr1 inet static address 172.16.24.1/24 bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '172.16.23.0/24' -o eth0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '172.16.23.0/24' -o eno0 -j MASQUERADE post-up iptables -t raw -I PREROUTING -i fwbr+ -j CT --zone 1 post-down iptables -t raw -D PREROUTING -i fwbr+ -j CT --zone 1source-directory /etc/network/interfaces.dsource-directory /run/network/interfaces.dStatistics: Posted by SkinnyBruv — 2024-02-25 02:15 — Replies 0 — Views 14