Simple port forwarding using nftables

By | 24 Oct 2024

After adding a new penguin to my zoo and moving around a few services, I had the need to re-route HTTPS traffic to a different host for doing all the SSL handling (which would then send a request back – but via HTTP on a different port). The simplest way to do this is to use the built-in capabilities of the default packet filter. In my case this is nftables.

A quick search brought up Jens Depuydt’s very detailed post. It’s easy to follow and after some tweaking I ended up running these commands to setup my forwarding:

# sudo nft flush ruleset
# sudo nft add table nat
# sudo nft 'add chain nat prerouting { type nat hook prerouting priority -100 ; }'
# sudo nft 'add rule nat prerouting ip daddr 192.168.0.XXX tcp dport { 443 } dnat 192.168.0.YYY:443'

(Masquerading messed with Docker containers on that system not being able to reach external destinations properly. And it wasn’t needed for my use-case anyways.)

Due to Docker being installed on that host, my net.ipv4.ip_forward value was already set to 1.

After verifying that the forwarding works as expected, it was time to make this config permanent. There were already a few lines in my /etc/nftables.conf, so I’ve decided to append this new config by running:

# sudo nft list ruleset | sudo tee -a /etc/nftables.conf

And, finally, I needed to enable the nftables service so the config is properly read and applied at bootup:

# sudo systemctl enable nftables

After a proper reboot (and getting a bit nervous because Docker took its bloody time to start) everything was still working as expected – including the new port forwarding.

Leave a Reply