Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
exclim2021-06-07 05:09:20
iptables
exclim, 2021-06-07 05:09:20

Nftables how to fix ping error?

After adding nat and forward rules, ping stops working on the server, gives an error "ping: sendmsg: Operation not allowed". Server on CentOS Linux release 8.1.1911 (Core), kernel 4.18.0-147.5.1.el8_1.x86_64, version nftables v0.9.0.

The rules themselves:

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                iif "lo" accept
                ct state invalid drop
                ip protocol icmp accept
                ip protocol igmp accept
                tcp dport ssh accept comment "SSH"
                udp dport { netbios-ns, netbios-dgm } accept comment "Samba udp ports"
                tcp dport { netbios-ssn, microsoft-ds } accept comment "Samba tcp ports"
                tcp dport { 35621, 35623, 55413-55415 } accept comment "UrBackup tcp ports"
                udp dport { 35621, 35622, 35623 } accept comment "UrBackup udp ports"
                tcp dport 9090 accept comment "Cockpit Web Interface"
                udp dport tftp accept comment "tftp"
                tcp dport { ftp-data, ftp } accept comment "ftp"
        }
}
table ip nat {
        chain post {
                type nat hook postrouting priority 100; policy drop;
                ip saddr 192.168.1.2 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.4 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.6 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.7 oif "enp2s0.103" snat to 10.14.1.58
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related accept
                ip saddr 192.168.1.2 oif "enp2s0.103" accept
                ip saddr 192.168.1.4 oif "enp2s0.103" accept
                ip saddr 192.168.1.6 oif "enp2s0.103" accept
                ip saddr 192.168.1.7 oif "enp2s0.103" accept
        }
}


At the same time, nat works for the specified users, ping works properly for them, it does not work only on the server. Please point out where I made a mistake in the rules.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
M
Maxim Grishin, 2021-06-07
@exclim

Change the policy to accept on ip nat post, do not drop packets during nating. And check the policy on the output, it should be accept, otherwise "you yourself have limited the sending of something outside and you are complaining."

Similar questions
I
Igor2015-12-01 13:56:11
How to register access to download applications from Google Play in iptables? 1Reply
S
Sergey Voronezhev2015-12-09 21:53:27
How to disable all traffic routing through VPN in Ubuntu? 1Reply
N
Nicholas2015-12-15 11:45:54
How to redirect the traffic of the desired user in iptables to another interface? 2Reply
S
Sergey Vasiliev2021-08-14 15:57:22
How to limit connection speed via iptables? 0Reply
L
lekam2020-05-31 20:32:03
How to make a link to a local resource if the server is behind Cloudflare? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question