Skip Navigation

Forward packets Wireguard to local subnet, with Nftables.

Hi,

I would like to forward packets that come from a wireguard connection to a local subnet

environment
  • Client: connected to server trough wireguard IP 192.168.X.2
  • server: connected to Client trough wireguard IP 192.168.X.1 and 192.168.Y.1 ( it's not systemd free ¯(ツ)/¯  )
  • aMachine: on the same subnet as server IP 192.168.Y.2

   

on the server I've done

 bash
    
#I don't know if this is necessary ?
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
sysctl --system

  

I've added the following rule to the nftables config on server but it seem the packet get lost ?

 nft
    
#added inside existing table `table ip Tip {}`
chain chPreRoute {
type nat hook prerouting priority 0; policy accept;
iif wg0 icmp type echo-request dnat to 192.168.Y.2
}

  
2 comments
  • Hi, Thank to all of you.

    I made a test environment with the following.

    • Machine A: 192.168.Y.1
    • Machine B: 192.168.Y.2
    • Machine C: 192.168.Y.3

    The goal is to send a ping A to B, B forward to C

    So ping -4c 1 192.168.y.2 from A, should ping B fw C

    I've set the following rule in /etc/nftables.conf

     nft
        
    table ip Tip {
            chain prerouting {
                    type nat hook prerouting priority dstnat; policy accept;
                    iif "eth0" ip protocol icmp dnat to 192.168.y.3
            }
            chain postrouting {
                    type nat hook postrouting priority 100; policy accept;
                    ip saddr 192.168.y.3 masquerade
            }
    }
    
    
      

    but is not working :'(

    I see B receive the package

     
        
    preroute: IN=eth0 OUT= MAC=▒▒ SRC=192.168.y.1 DST=192.168.y.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21398 DF PROTO=ICMP TYPE=8 CODE=0 ID=17950 SEQ=1
    
    
      

    but it seem C receive nothing..

    Any ideas ?

    • SOLVED

      The following works !

      I guess one of my others rules was blocking

       nft
          
      table ip Tip {
              chain prerouting {
                      type nat hook prerouting priority -100; policy accept;
                      ip daddr 192.168.y.2 log prefix "forwarded " dnat to 192.168.y.3
              }
              chain postrouting {
                      type nat hook postrouting priority 100; policy accept;
                      masquerade
              }
              chain INPUT {
                      type filter hook input priority filter; policy accept;
              }
              chain FORWARD {
                      type filter hook forward priority filter; policy accept;
              }
              chain OUTPUT {
                      type filter hook output priority filter; policy accept;
              }
      }