Translate the source address of all packets leaving a particular interface with nftables

Question

I am running Ubuntu Server 18-04 VM on Zorin host.

I am wanting to translate the source address of all packets leaving via enp0s3 to 192.168.1.120 with nftables. This is what I have done:

apt install nftables

modprobe nft_nat

modprobe nft_chain_nat_ipv4

nft add table nat

nft add chain nat post { type nat hook postrouting priority 0 \; }

nft add chain nat pre { type nat hook prerouting priority 0 \; }

nft add rule nat postrouting oif enp0s3 snat to 192.168.2.120

I get:

Error: Could not process rule: No such file or directory

According to this post here

"Note: You may have to create /etc/modules-load.d/nftables.conf with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command: $ lsmod | grep '^nf' Otherwise, you could end up with the dreaded Error: Could not process rule: No such file or directory error."

The output of $ lsmod | grep '^nf' is:

nft_chain_nat_ipv4     16384  2    
nf_conntrack_ipv4      16384  1    
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4    
nf_nat_ipv4            16384  1 nft_chain_nat_ipv4    
nft_nat                16384  0    
nf_nat                 32768  2 nft_nat,nf_nat_ipv4    
nf_conntrack          131072  4    
nft_nat,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat    
nf_tables_inet         16384  4    
nf_tables_ipv6         16384  1 nf_tables_inet    
nf_tables_ipv4         16384  2 nf_tables_inet    
nf_tables              90112  5     
nft_nat,nft_chain_nat_ipv4,nf_tables_ipv6,nf_tables_ipv4,nf_tables_i$    
nfnetlink              16384  1 nf_tables

I have cut and pasted this into the /etc/modules-load.d/nftables.conf file without success.

Does anyone know how I can resolve this error?

EDIT:

I changed the order I added the chains, I added the "pre" chain first and the "post" chain second. Now I am getting a different error:

nft add rule nat postrouting oif eno1 snat to 192.168.2.120
<cmdline>:1:40-41: Error: syntax error, unexpected to
add rule nat postrouting oif eno1 snat to 192.168.2.120
                                       ^^

This error seems odd to me as I got this syntax for the nftables manpage:

Using NAT statements

create a suitable table/chain setup for all further examples

add table nat add chain nat prerouting { type nat hook prerouting priority 0; } add chain nat postrouting { type nat hook postrouting priority 100; }

translate source addresses of all packets leaving via eth0 to address 1.2.3.4

add rule nat postrouting oif eth0 snat to 1.2.3.4

Hyungjune Shin · Answer 1 · 2018-09-14T12:57:01.333

0

The rule should be nft add rule nat post "subnet address of enp0s3" snat to 192.168.2.120

The example of subnet address of enp0s3 may be like 10.4.0.1/16

edited Sep 14 '18 at 12:57

answered Sep 14 '18 at 06:17

Hyungjune Shin

1
2

Jedi · Answer 2 · 2018-09-26T07:46:06.017

0

Ok I figured it out.

"postrouting" is not the hook but the name of the chain. As my chain was named "post" the correct syntax is:

nft add rule nat post oif enp0s3 snat to 192.168.2.120

edited Sep 26 '18 at 07:46

answered Sep 26 '18 at 07:22

Jedi

421
2
9
20

Translate the source address of all packets leaving a particular interface with nftables

create a suitable table/chain setup for all further examples

translate source addresses of all packets leaving via eth0 to address 1.2.3.4

2 Answers2