Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
E
E
exclim2021-06-07 05:09:20
iptables
exclim, 2021-06-07 05:09:20

Nftables how to fix ping error?

After adding nat and forward rules, ping stops working on the server, gives an error "ping: sendmsg: Operation not allowed". Server on CentOS Linux release 8.1.1911 (Core), kernel 4.18.0-147.5.1.el8_1.x86_64, version nftables v0.9.0.

The rules themselves:

table inet filter {
        chain input {
                type filter hook input priority 0; policy drop;
                ct state established,related accept
                iif "lo" accept
                ct state invalid drop
                ip protocol icmp accept
                ip protocol igmp accept
                tcp dport ssh accept comment "SSH"
                udp dport { netbios-ns, netbios-dgm } accept comment "Samba udp ports"
                tcp dport { netbios-ssn, microsoft-ds } accept comment "Samba tcp ports"
                tcp dport { 35621, 35623, 55413-55415 } accept comment "UrBackup tcp ports"
                udp dport { 35621, 35622, 35623 } accept comment "UrBackup udp ports"
                tcp dport 9090 accept comment "Cockpit Web Interface"
                udp dport tftp accept comment "tftp"
                tcp dport { ftp-data, ftp } accept comment "ftp"
        }
}
table ip nat {
        chain post {
                type nat hook postrouting priority 100; policy drop;
                ip saddr 192.168.1.2 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.4 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.6 oif "enp2s0.103" snat to 10.14.1.58
                ip saddr 192.168.1.7 oif "enp2s0.103" snat to 10.14.1.58
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
                ct state established,related accept
                ip saddr 192.168.1.2 oif "enp2s0.103" accept
                ip saddr 192.168.1.4 oif "enp2s0.103" accept
                ip saddr 192.168.1.6 oif "enp2s0.103" accept
                ip saddr 192.168.1.7 oif "enp2s0.103" accept
        }
}


At the same time, nat works for the specified users, ping works properly for them, it does not work only on the server. Please point out where I made a mistake in the rules.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
M
Maxim Grishin, 2021-06-07
@exclim

Change the policy to accept on ip nat post, do not drop packets during nating. And check the policy on the output, it should be accept, otherwise "you yourself have limited the sending of something outside and you are complaining."

Similar questions
W
waltaki2020-08-14 19:40:41
How to forward a packet from IP:PORT to localhost:PORT? 1Reply
N
NkDev2018-10-09 11:24:06
How to make access to external ip from local network? 1Reply
I
Ig0rek20222021-12-17 23:06:53
How to proxy traffic from one server to another? 2Reply
J
Jiestie2018-10-16 02:48:30
How to limit process requests to third-party services using nginx if service requests must be via https? 1Reply
N
Nikolay2016-05-22 22:11:57
How to set up iptables to send mail from a rails application? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question