nftables port forwarding egy VRF egy csatolojara

Hálózatok egyéb

Sziasztok!

 

mi a modja annak, hogy egy port forwardingot eszkozoljek egy bejovo interface -rol egy masik route tablaba [vrf]?

bejovo interface [eth0, default route table] port 30xxx => vrf master interface egyik interface -e [route table 200] port 20yyy

elore is koszonom

  • 204 megtekintés

( Balu007 | 2024. 03. 05., k – 00:24 )

Szerkesztve: 2024. 03. 05., k – 00:35

Ha valakit erdekelne a megoldas..... az ide vago reszek a configokban

## cat /etc/nftables.conf

#!/usr/sbin/nft -f

define ETHWAN = eth0
define VRFWG2T2002 = vrf-wg2T2002
define VPNWG2 = wg2

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ...
                ...
                iifname $VRFWG2T2002 accept
                iifname $VPNWG2 accept
        }
        chain forward {
                type filter hook forward priority 0; policy drop;
                ...
                ...
                iifname $ETHWAN oifname $VPNWG2 tcp dport 22 ip daddr 192.168.13.31 accept
                iifname $ETHWAN oifname $VPNWG2 tcp dport 22 ip6 daddr [fc80::192:168:13:31] accept
                iifname $ETHWAN oifname $ETHWAN accept
                iifname $VRFWG2T2002 oifname $ETHWAN accept
        }
        chain output {
                type filter hook output priority 0; policy accept;
        }
}
table inet mangle {
        chain prerouting {
                type filter hook prerouting priority -150; policy accept;
                ...
                ...
                iifname $ETHWAN tcp dport { 30122 } meta mark set 0x2002
                iifname $ETHWAN tcp dport { 30122 } ct mark set mark
                iifname $ETHWAN tcp dport { 30122 } meta mark set ct mark
        }
        chain output {
                type route hook output priority -150; policy accept;
        }
        chain postrouting {
                type filter hook postrouting priority -150; policy accept;
        }
}

table inet nat {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
                ...
                ...
                iifname $ETHWAN tcp dport { 30122 } dnat ip to 192.168.13.31:22
                iifname $ETHWAN tcp dport { 30122 } dnat ip6 to [fc80::192:168:13:31]:22
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ...
                ...
                ip daddr 192.168.13.0/24 tcp dport { 22 } oifname $VPNWG2 masquerade
                ip6 daddr [fc80::192:168:13:0]/112 tcp dport { 22 } oifname $VPNWG2 masquerade
                ip saddr 192.168.13.0/24 tcp dport { 22 } iifname $VPNWG2 oifname $ETHWAN masquerade
                ip6 saddr [fc80::192:168:13:0]/112 tcp sport { 22 } iifname $VPNWG2 oifname $ETHWAN masquerade
        }
}

## cat /etc/systemd/network/60-wg2.network

[Match]
Name=wg2

[Network]
VRF=vrf-wg2T2002
Address=192.168.13.1/24
Address=fc80::192:168:13:1/112

[RoutingPolicyRule]
FirewallMark=0x2002
Table=2002
Family=both