Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
@
@
@inturned2017-07-10 00:53:10
VPN
@inturned, 2017-07-10 00:53:10

Why snat doesn't work in nftables but works in iptables?

Created 2 virtual machines (server, client). Wireguard VPN is configured between them.
Snat is configured in nftables, forwarding is enabled.
ICMP Request packets travel from the client to the server through the VPN.
But packets (ICMP Reply) are not returned back.
The endpoint of the ICMP Reply packets is the enp0s3 interface on the server.
On the wg0 interface on the server, only Request packets are visible, but not Reply.
But, if you turn off nftables and run ip6tables instead with the same snat rule,
then packets will come and go without any problems.
If after that you disable ip6tables and enable nftables back, then everything will continue to work.
Software versions:
NixOS: 17.09.git.ebaff59 (Hummingbird)
WireGuard: 0.0.20170706
Nftables: 0.7
Command to build server ISO image:
nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_server_10.nix ./nixpkgs/nixos/default.nix
Command to build client ISO image:
nix -build -A config.system.build.isoImage -I nixos-config=./wireguard_client_20.nix ./nixpkgs/nixos/default.nix
Nix files (nftables rules in there):
https://gist.github.com/ MrSorcus/d6d8b8b6acff71536...
Command to create virtual machine (server):
virt-install \
--name NixOSVS10 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_10.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5910,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Command to create virtual machine (client):
virt-install \
-- name NixOSVS20 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_20.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF ",port=5920,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Output commands ip a, ip -6 route, route -6, wg, sysctl -a, dmesg, lsmod.
https://gist.github.com/MrSorcus/1a8c9f5aacf895750... - server.
https://gist.github.com/MrSorcus/b7dc077249ca513ca... - client.
Exhaust tcpdump from the client. Ping IPv6 site address ( https://ipv6.net/)
https://gist.github.com/MrSorcus/03e716fba67c41197... - logs from client and server enp0s3 & wg0 interfaces.
Exhaust /proc/net/nf_conntrack from nftables:
https://gist.github.com/MrSorcus/601170680ff644c52...
Exhaust /proc/net/nf_conntrack from ip6tables:
https://gist.github.com/MrSorcus/e043101f98e787c8c. ..
After the command:
[[email protected]:~]# ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 2a01:4f8:xx:xx::10
Everything works. Those. IPv6 resources are successfully pinged.
And it continues to work if you disable ip6tables and enable nftables back.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

[[+comments_count]] answer(s)
Report
I
inturned, 2017-07-17
_

It's decided. marc.info/?l=netfilter-devel&m=150027256708621&w=2
You are probably missing the reply NAT chain, which needs to be registered.
https://wiki.nftables.org/wiki-nftables/index.php/...
I'm updating right now the wiki to put this in bold.

Similar questions
M
Maxim Legenchenko2018-10-31 09:17:33
PFSense and StrongSwan how to connect two LAN networks? 1Reply
N
Nikita Shinkevich2022-01-03 15:22:44
Torrent client over VPN does not work. How to force? 2Reply
P
p4p2018-11-02 01:11:07
Without VPN, it slowly loads sites on Android. What is the problem? 1Reply
E
evgpolo2014-04-21 12:20:30
How to properly configure vps+vpn and access it remotely via ssh? 1Reply
A
alter-r2014-04-23 16:20:36
How to set up secure remote access to Windows Server 2012R2? 4Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question