Ubuntu
nftables package

nft nat not working

Bug #1503695 reported by Hadmut Danisch
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
High
Unassigned
nftables (Ubuntu)
Expired
High
Unassigned

Bug Description

Hi ,

I have installed an ubuntu 15.10 beta machine and configured nftables firewalling.

While the regular firewalling works (using the default settings that come with the package), I found that nat rules are silently ignored. I've added this to the /etc/nftables.conf and read it:

table ip nat {

      chain prerouting {
            type nat hook prerouting priority 0;
            ip daddr 1.2.3.4 tcp dport 80 redirect to 1234
            tcp dport 80 redirect to 1235
      }

      chain postrouting {
            type nat hook postrouting priority 0;
      }

}

following the example from

http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Redirect

(1.2.3.4 is just a placeholder for the address actually used here, i do not want to reveal the address to the bug report). nft reads this without complaining, and

nft list table ip nat

gives exactly that output (except for replacing 80 with "http"), so the configuration is read correctly.

But it simply does not work. Without having any daemon listening on ports 1234, 1235 , traffic to port 80 works as usual. As long as there is not process waiting on 1234/1235, connection should be refused.

Which is dangerous and a security flaw, since this was meant (and used in a similar way with iptables and Ubuntu 14.04) to avoid revealing sensitive data over the internet (an application that is not able to use https should be tunneled). When firewall rules have been loaded and accepted without any warning, one would expect them to run.

Ive tried to unload all iptables-related kernel packages and to load packages like nft_nat, nft_redir, nft_redir_ipv4, but the direct connection to port 80 still works although it shouldn't.

No error warning, no message. It just allows outgoing port 80 although it shouldn't.

Which is a problem, since this is security-relevant. If it doesn't work, it should spit out some error message.

(FYI: It was implemented under Ubuntu 14.04 with

iptables -t nat -I OUTPUT -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-port 1234
)

My current guess: On that wiki page's bottem there's a hint that iptables and nft nat cannot be used at the same time. Unfortunately Ubuntu 15.10 still loads plenty of iptables stuff. Although I've tried to remove it all and it's kernel modules, I guess this could be a problem.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: nftables 0.4-7
ProcVersionSignature: Ubuntu 4.2.0-14.16-generic 4.2.2
Uname: Linux 4.2.0-14-generic x86_64
ApportVersion: 2.19-0ubuntu1
Architecture: amd64
CurrentDesktop: XFCE
Date: Wed Oct 7 15:21:36 2015
InstallationDate: Installed on 2015-09-03 (33 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825)
SourcePackage: nftables
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Hadmut Danisch (hadmut) wrote :
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1503695

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Hadmut Danisch (hadmut) wrote :

I've received a message asking me to either do apport-collect or add a statement that I would not wish to upload confidential data. The latter is the case, I cannot reveal details.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Hadmut Danisch (hadmut) wrote :

BTW., I've noticed that the nf tables defined in /etc/nftables.conf are not loaded at all by boot/systemd, manual loading is needed.

systemctl status nftables says

# systemctl status nftables
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:nft(8)
           http://wiki.nftables.org

It's disabled.

So a central question is:

What is the default firewall system of ubuntu 15.10: iptables or nftables?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

I think the intention is for most users to use the ufw frontend to iptables; however, I believe nftables ought to work for those who wish to use it, so please do keep poking at it.

Thanks

Alberto Salvia Novella (es20490446e)
Changed in linux (Ubuntu):
importance: Undecided → High
Changed in nftables (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Oibaf (oibaf) wrote :

Please try on a newer Ubuntu, 18.04 or later, that ships updated linux kernel and nftables.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Changed in nftables (Ubuntu):
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for nftables (Ubuntu) because there has been no activity for 60 days.]

Changed in nftables (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.