nft nat not working
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Expired
|
High
|
Unassigned | ||
nftables (Ubuntu) |
Expired
|
High
|
Unassigned |
Bug Description
Hi ,
I have installed an ubuntu 15.10 beta machine and configured nftables firewalling.
While the regular firewalling works (using the default settings that come with the package), I found that nat rules are silently ignored. I've added this to the /etc/nftables.conf and read it:
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
ip daddr 1.2.3.4 tcp dport 80 redirect to 1234
tcp dport 80 redirect to 1235
}
chain postrouting {
type nat hook postrouting priority 0;
}
}
following the example from
(1.2.3.4 is just a placeholder for the address actually used here, i do not want to reveal the address to the bug report). nft reads this without complaining, and
nft list table ip nat
gives exactly that output (except for replacing 80 with "http"), so the configuration is read correctly.
But it simply does not work. Without having any daemon listening on ports 1234, 1235 , traffic to port 80 works as usual. As long as there is not process waiting on 1234/1235, connection should be refused.
Which is dangerous and a security flaw, since this was meant (and used in a similar way with iptables and Ubuntu 14.04) to avoid revealing sensitive data over the internet (an application that is not able to use https should be tunneled). When firewall rules have been loaded and accepted without any warning, one would expect them to run.
Ive tried to unload all iptables-related kernel packages and to load packages like nft_nat, nft_redir, nft_redir_ipv4, but the direct connection to port 80 still works although it shouldn't.
No error warning, no message. It just allows outgoing port 80 although it shouldn't.
Which is a problem, since this is security-relevant. If it doesn't work, it should spit out some error message.
(FYI: It was implemented under Ubuntu 14.04 with
iptables -t nat -I OUTPUT -d 1.2.3.4 -p tcp --dport 80 -j REDIRECT --to-port 1234
)
My current guess: On that wiki page's bottem there's a hint that iptables and nft nat cannot be used at the same time. Unfortunately Ubuntu 15.10 still loads plenty of iptables stuff. Although I've tried to remove it all and it's kernel modules, I guess this could be a problem.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: nftables 0.4-7
ProcVersionSign
Uname: Linux 4.2.0-14-generic x86_64
ApportVersion: 2.19-0ubuntu1
Architecture: amd64
CurrentDesktop: XFCE
Date: Wed Oct 7 15:21:36 2015
InstallationDate: Installed on 2015-09-03 (33 days ago)
InstallationMedia: Xubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20150825)
SourcePackage: nftables
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Private Security → Public Security |
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
Changed in nftables (Ubuntu): | |
importance: | Undecided → High |
status: | New → Confirmed |
This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:
apport-collect 1503695
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.