Skip to main content

nftables ip6 route to localhost/ ipv6 nat to loopback [Resolved]

I'm trying to route incoming http internet traffic to [::1]:8080 which is where my http server binds to. I'm using nftables on an IPv6-only device. If I add following rules:

  sudo nft flush ruleset
  sudo nft add table ip6 nat
  sudo nft add chain ip6 nat prerouting { type nat hook prerouting priority 0 \; }
  sudo nft add chain ip6 nat postrouting { type nat hook postrouting priority 100 \; }

  sudo nft add rule ip6 nat prerouting ip6 daddr [global-ip6] tcp dport 80 dnat to ::1 :8080

  sudo nft list ruleset

with resulting ruleset:

table ip6 nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
    ip6 daddr [global-ip6] tcp dport http dnat to [::1]:http-alt
  }

  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
  }
}

then requests to [global-ip6]:80 get swallowed (there is no connection refused error) but no connection is established.

If I use one of the rules

sudo nft add rule ip6 nat prerouting tcp dport 80 redirect to 8080

or

sudo nft add rule ip6 nat prerouting ip6 daddr [global-ip6] tcp dport 80 dnat to [global-ip6] :8080

and bind my program to [global-ip6]:8080, then communication works as expected.

Do you have an idea what I am missing? I tried out some rules in the postrouting and input chains but couldn't get it to work. Back with IPv4 and iptables I had to do sudo sysctl -w net.ipv4.conf.all.route_localnet=1, maybe there is a similar IPv6 flag?


Question Credit: adabru
Question Reference
Asked July 20, 2019
Tags: ipv6, nftables
Posted Under: Network
11 views
1 Answers

Your Answer
D:\Adnan\Candoerz\CandoProject\vQA