To configure traffic forwarding on a server using nftables to forward traffic to another server, you will follow a few steps to set up Network Address Translation (NAT) rules. Below is a detailed, step-by-step guide for setting this up.
Example Scenario:
- Server A: This is the public-facing server (e.g., with IP
203.0.113.10) where traffic arrives.
- Server B: This is the internal server (e.g., with IP
192.168.1.100) that will receive the forwarded traffic.
- You want to forward incoming traffic on a specific port (e.g., TCP port
8080 on Server A) to Server B’s port (e.g., TCP port 80).
Steps to Configure Traffic Forwarding with nftables:
1. Enable IP Forwarding
Before setting up nftables, ensure that the Linux kernel on Server A can forward packets between interfaces.
Run the following command on Server A:
echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
Verify that IP forwarding is enabled by running:
sysctl net.ipv4.ip_forward
The output should be:
net.ipv4.ip_forward = 1
2. Create or Edit the nftables Configuration File
You will create or edit the nftables configuration to define the NAT rules.
- Open the
nftables configuration file (you can create a new one or modify the existing one):
sudo vi /etc/nftables.conf
- Add the following configuration to set up port forwarding.
#!/usr/sbin/nft -f
# Flush existing rules
flush ruleset
# Create a table called “foward”
table ip foward {
# Chain for prerouting (incoming traffic)
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# Forward incoming traffic on port 8080 to Server B (port 80)
tcp dport 8080 dnat to 192.168.1.100:80
# UDP Traffic forward
udp dport 8080 dnat to 192.168.1.100:80
}
# Chain for postrouting (outgoing traffic)
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# Masquerade outgoing traffic (make it appear from Server A)
masquerade
}
}
Explanation of the Configuration:
NAT Table:
- The
prerouting chain handles incoming traffic. The rule tcp dport 8080 dnat to 192.168.1.100:80 forwards traffic arriving at port 8080 on Server A to port 80 on Server B.
- The
postrouting chain uses masquerade to ensure that traffic leaving Server A appears to come from Server A’s public IP.
3. Apply the Configuration
After saving the configuration file, apply it with the following command:
sudo nft -f /etc/nftables.conf
This will load the nftables rules into memory.
4. Enable nftables to Start on Boot
To ensure that nftables is loaded automatically on boot, run the following commands:
sudo systemctl enable nftables
sudo systemctl restart nftables
This will make sure that the rules are persistent across reboots.
5. Verify the Rules
To check that the rules are applied correctly, use the following command to list the active ruleset:
sudo nft list ruleset
You should see a similar output that reflects the NAT and filter table rules you have added.
6. Test the Port Forwarding
To test the port forwarding setup, you can try accessing Server A's public IP (e.g., 203.0.113.10) on port 8080:
curl http://203.0.113.10:8080
If Server B is running a web server on port 80, you should see the server’s response.
Customization:
Different Ports:
- If you want to forward a different port, modify the
dport values. For example, change 8080 to another port, and adjust the dnat target if needed.
UDP Traffic:
- To forward UDP traffic, replace
tcp with udp in the nftables configuration.
Multiple Port Forwarding:
If you need to forward additional ports, add more rules to the prerouting chain. For example, to forward port 8443 to Server B’s port 443:
tcp dport 8443 dnat to 192.168.1.100:443
Other
Cheap VPS Recommendations Page:
From
https://edu.za.org/2025/02/22/Configure-port-forwarding-on-the-server/
