← Back to team overview

kernel-packages team mailing list archive

[Bug 1503695] Re: nft nat not working

 

BTW., I've noticed that the nf tables defined in /etc/nftables.conf are
not loaded at all by boot/systemd, manual loading is needed.


systemctl status nftables says

 
# systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:nft(8)
           http://wiki.nftables.org


It's disabled. 

So a central question is:

What is the default firewall system of ubuntu 15.10:  iptables or
nftables?

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1503695

Title:
  nft nat not working

Status in linux package in Ubuntu:
  Confirmed
Status in nftables package in Ubuntu:
  New

Bug description:
  Hi ,

  I have installed an ubuntu 15.10 beta machine and configured nftables
  firewalling.

  While the regular firewalling works (using the default settings that
  come with the package), I found that nat rules are silently ignored.
  I've added this to the /etc/nftables.conf and read it:

  table ip nat {

        chain prerouting {
              type nat hook prerouting priority 0;
              ip daddr 1.2.3.4 tcp dport 80 redirect to 1234
              tcp dport 80 redirect to 1235
        }

        chain postrouting {
              type nat hook postrouting priority 0;
        }     

  }

  
  following the example from 

  http://wiki.nftables.org/wiki-
  nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Redirect

  (1.2.3.4 is just a placeholder for the address actually used here, i
  do not want to reveal the address to the bug report). nft reads this
  without complaining, and

  nft list table ip nat

  gives exactly that output (except for replacing 80 with "http"), so
  the configuration is read correctly.


  But it simply does not work. Without having any daemon listening on
  ports 1234, 1235 , traffic to port 80 works as usual. As long as there
  is not process waiting on 1234/1235, connection should be refused.


  Which is dangerous and a security flaw, since this was meant (and used
  in a similar way with iptables and Ubuntu 14.04) to avoid revealing
  sensitive data over the internet (an application that is not able to
  use https should be tunneled). When firewall rules have been loaded
  and accepted without any warning, one would expect them to run.

  Ive tried to unload all iptables-related kernel packages and to load
  packages like nft_nat, nft_redir, nft_redir_ipv4, but the direct
  connection to port 80 still works although it shouldn't.

  No error warning, no message. It just allows outgoing port 80 although
  it shouldn't.

  Which is a problem, since this is security-relevant. If it doesn't
  work, it should spit out some error message.

  (FYI: It was implemented under Ubuntu 14.04 with

  iptables -t nat -I OUTPUT -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-port 1234
  )

  
  My current guess: On that wiki page's bottem there's a hint that iptables and nft nat cannot be used at the same time. Unfortunately Ubuntu 15.10 still loads plenty of iptables stuff. Although I've tried to remove it all and it's kernel modules, I guess this could be a problem.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: nftables 0.4-7
  ProcVersionSignature: Ubuntu 4.2.0-14.16-generic 4.2.2
  Uname: Linux 4.2.0-14-generic x86_64
  ApportVersion: 2.19-0ubuntu1
  Architecture: amd64
  CurrentDesktop: XFCE
  Date: Wed Oct  7 15:21:36 2015
  InstallationDate: Installed on 2015-09-03 (33 days ago)
  InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825)
  SourcePackage: nftables
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1503695/+subscriptions