Answer the question
In order to leave comments, you need to log in
Why snat doesn't work in nftables but works in iptables?
Created 2 virtual machines (server, client). Wireguard VPN is configured between them.
Snat is configured in nftables, forwarding is enabled.
ICMP Request packets travel from the client to the server through the VPN.
But packets (ICMP Reply) are not returned back.
The endpoint of the ICMP Reply packets is the enp0s3 interface on the server.
On the wg0 interface on the server, only Request packets are visible, but not Reply.
But, if you turn off nftables and run ip6tables instead with the same snat rule,
then packets will come and go without any problems.
If after that you disable ip6tables and enable nftables back, then everything will continue to work.
Software versions:
NixOS: 17.09.git.ebaff59 (Hummingbird)
WireGuard: 0.0.20170706
Nftables: 0.7
Command to build server ISO image:
nix-build -A config.system.build.isoImage -I nixos-config=./wireguard_server_10.nix ./nixpkgs/nixos/default.nix
Command to build client ISO image:
nix -build -A config.system.build.isoImage -I nixos-config=./wireguard_client_20.nix ./nixpkgs/nixos/default.nix
Nix files (nftables rules in there):
https://gist.github.com/ MrSorcus/d6d8b8b6acff71536...
Command to create virtual machine (server):
virt-install \
--name NixOSVS10 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_10.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF",port=5910,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Command to create virtual machine (client):
virt-install \
-- name NixOSVS20 \
--ram 1024 \
--vcpus 1 \
--cdrom /tmp/nixos_20.iso \
--os-type linux \
--nodisk \
--network bridge=br0 \
--graphics vnc,password="ABCDEF ",port=5920,listen=2a01:4f8:xx:xx::13 \
--autostart \
--noautoconsole
Output commands ip a, ip -6 route, route -6, wg, sysctl -a, dmesg, lsmod.
https://gist.github.com/MrSorcus/1a8c9f5aacf895750... - server.
https://gist.github.com/MrSorcus/b7dc077249ca513ca... - client.
Exhaust tcpdump from the client. Ping IPv6 site address ( https://ipv6.net/)
https://gist.github.com/MrSorcus/03e716fba67c41197... - logs from client and server enp0s3 & wg0 interfaces.
Exhaust /proc/net/nf_conntrack from nftables:
https://gist.github.com/MrSorcus/601170680ff644c52...
Exhaust /proc/net/nf_conntrack from ip6tables:
https://gist.github.com/MrSorcus/e043101f98e787c8c. ..
After the command:
[[email protected]:~]# ip6tables -t nat -A POSTROUTING -o enp0s3 -j SNAT --to-source 2a01:4f8:xx:xx::10
Everything works. Those. IPv6 resources are successfully pinged.
And it continues to work if you disable ip6tables and enable nftables back.
Answer the question
In order to leave comments, you need to log in
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question