by summers » Wed Aug 25, 2021 7:02 am
Well routing, and netfiltering/NAT have to be handled independently; (e.g. NAT isn't really a solution to routing). But anyway yes you are right, sometimes its useful to have NAT/net filter on a computer.
Anyway need to see more what your set up is. Take the below commands and output on on of my arch computers (arch is quite old now - as this computer not updated any more ...)
$this->bbcode_second_pass_code('', '[summers@nas ~]$ sudo nft -f /etc/nftables.conf
[summers@nas ~]$ sudo nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
}
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport 22 accept
meta nfproto ipv4 reject
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
[summers@nas ~]$ lsmod
Module Size Used by
cdc_mbim 16384 0
cdc_wdm 20480 1 cdc_mbim
cdc_ncm 24576 1 cdc_mbim
cdc_eem 16384 0
nft_reject_inet 16384 1
nf_reject_ipv4 16384 1 nft_reject_inet
nf_reject_ipv6 16384 1 nft_reject_inet
nft_reject 16384 1 nft_reject_inet
nft_ct 20480 2
nf_tables_set 32768 1
nft_masq 16384 1
nft_chain_nat 16384 2
nf_nat 32768 2 nft_chain_nat,nft_masq
nf_conntrack 106496 3 nft_ct,nft_masq,nf_nat
nf_defrag_ipv4 16384 1 nf_conntrack
nf_tables 135168 31 nft_ct,nft_reject,nf_tables_set,nft_chain_nat,nft_masq,nft_reject_inet
nfnetlink 16384 1 nf_tables
btrfs 1413120 1
blake2b_generic 32768 0
xor 16384 1 btrfs
rtc_pcf8563 16384 0
raid6_pq 98304 1 btrfs
cdc_ether 16384 0
cdc_acm 24576 0
usbnet 28672 4 cdc_eem,cdc_mbim,cdc_ether,cdc_ncm
mii 16384 1 usbnet
marvell_cesa 40960 0
i2c_mv64xxx 20480 0
ip_tables 28672 0
x_tables 24576 1 ip_tables
ipv6 450560 33 nf_reject_ipv6
nf_defrag_ipv6 16384 2 nf_conntrack,ipv6
')
What you can see is I load nf table from a file with $this->bbcode_second_pass_code('', 'nft -f'), you can see that code is loaded into kernel $this->bbcode_second_pass_code('', 'nft list ruleset'), and that code sets up NAT $this->bbcode_second_pass_code('', 'masquerade') and filtering $this->bbcode_second_pass_code('', ' type filter hook input priority filter; policy accept;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport 22 accept
meta nfproto ipv4 reject
')
And that loading this into kernel means a whole shaft of modules needed to be loaded into the kernel. This set up works on my machine. So need to see something similar for your machine.