nftables端口转发

环境

• debian 11

配置

编辑/etc/sysctl.conf

允许端口转发

#文件末尾添加
net.ipv4.ip_forward=1

创建文件/etc/nftables/example.nft

配置文件必须在/etc/nftables/目录下

#!/usr/sbin/nft -f

define localIP = 本地ip
define remoteIP = 远程ip
define remotePort = 端口(80)/端口范围(80-89)
define localPort = 端口(80)/端口范围(80-89)
# Flush the rule set
#flush ruleset

add table ip nat
add chain nat PREROUTING { type nat hook prerouting priority -100 ; }
add chain nat POSTROUTING { type nat hook postrouting priority 100 ; }
add rule ip nat PREROUTING tcp dport $localPort counter dnat to $remoteIP:$remotePort
add rule ip nat PREROUTING udp dport $localPort counter dnat to $remoteIP:$remotePort
add rule ip nat POSTROUTING ip daddr $remoteIP tcp dport $remotePort counter snat to $localIP
add rule ip nat POSTROUTING ip daddr $remoteIP udp dport $remotePort counter snat to $localIP

编辑/etc/nftables.conf

加载自定义配置文件

//默认配置内容
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;
        }
        chain forward {
                type filter hook forward priority 0;
        }
        chain output {
                type filter hook output priority 0;
        }
}

#文件末尾添加
include "/etc/nftables/tranfrom.nft"

设置开机启动

//开机启动
systemctl enable nftables.service

//马上启动
systemctl start nftables.service

//查看状态
systemctl status nftables.service

参考文献

• nftables设置nat转发(基于centos8)
• RedHat帮助文档