Skip Navigation
Linux @lemmy.ml
SpongeB0B @programming.dev
solved

Forward packets Wireguard to local subnet, with Nftables.

Hi,

I would like to forward packets that come from a wireguard connection to a local subnet

environment
  • Client: connected to server trough wireguard IP 192.168.X.2
  • server: connected to Client trough wireguard IP 192.168.X.1 and 192.168.Y.1 ( it's not systemd free ¯(ツ)/¯  )
  • aMachine: on the same subnet as server IP 192.168.Y.2

   

on the server I've done

 bash
    
#I don't know if this is necessary ?
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl --system

I've added the following rule to the nftables config on server but it seem the packet get lost ?

 nft
    
#added inside existing table `table ip Tip {}`
chain chPreRoute {
type nat hook prerouting priority 0; policy accept;
iif wg0 icmp type echo-request dnat to 192.168.Y.2
}
2 comments

  • Hi, Thank to all of you.

    I made a test environment with the following.

    • Machine A: 192.168.Y.1
    • Machine B: 192.168.Y.2
    • Machine C: 192.168.Y.3

    The goal is to send a ping A to B, B forward to C

    So ping -4c 1 192.168.y.2 from A, should ping B fw C

    I've set the following rule in /etc/nftables.conf

     nft
        
table ip Tip {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eth0" ip protocol icmp dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 192.168.y.3 masquerade
        }
}

    but is not working :'(

    I see B receive the package

     
        
preroute: IN=eth0 OUT= MAC=▒▒ SRC=192.168.y.1 DST=192.168.y.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21398 DF PROTO=ICMP TYPE=8 CODE=0 ID=17950 SEQ=1

    but it seem C receive nothing..

    Any ideas ?

    • SOLVED

      The following works !

      I guess one of my others rules was blocking

       nft
          
table ip Tip {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
                ip daddr 192.168.y.2 log prefix "forwarded " dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                masquerade
        }
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}