How to do Masquerading with NFTables

Question

How would I implement a masquerading rule like this iptables one in NFTables:

iptables -t nat -A POSTROUTING -s 10.5.6.0/24 -o eth0 -j MASQUERADE

I've looked for it, but couldn't find out how to set the output interface

Did you not use this when migrating from iptables to nftables? {iptables-restore-translate -f save.txt > ruleset.nft nft -f ruleset.nft} — tad1073, Aug 22 '19 at 00:06

score 10 · Answer 1 · answered May 16 '16 at 15:15

10

You can write the rule this way:

nft add rule nat postrouting ip saddr 10.5.6.0/24 oif eth0 masquerade

Take a look on nftables nat wiki for more informations.

answered May 16 '16 at 15:15

setenforce 1

482
2
6

score 9 · Answer 2 · edited Jun 11 '20 at 14:16

as an aside, if you were masquerading under a dynamic address, you could simply

add rule nat postrouting oif ppp0 masquerade

`oif` / `oifname`

Userspace converts oif to integer at runtime

You should use probably use oifname (slower string matching) rather than oif if the interface might disappear and then re-appear (like ppp0 and others may, upon disconnect, etc.) unless you'll make other arrangements to masquerade upon the interface coming up each time.

oif → if the interface is removed and created again, the match will not occur as the index of added interfaces in kernel is monotonically increasing.

—via nftables-quick-howto

score 0 · Answer 3 · answered May 03 '23 at 23:13

I have the following "nat" table in my /etc/nftables.conf file, along with my other firewall rules which are in a separate "filter" table :

table ip nat {
    chain prerouting {
        type nat hook prerouting priority filter; policy accept;
    }
                 
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oifname { "eno2" } masquerade   # "eno2" is our external interface
    }
}

table ip filter {
    # etc.

How to do Masquerading with NFTables

3 Answers3

oif / oifname

`oif` / `oifname`