I'm trying to redirect port 113 to 11113 with nftables. Unfortunately, the connection is consistently rejected. The counter says 0 for both copies of the nat redirect rule on v4/v6. For testing, I'm running nc -lp 11113 and trying to connect from outside with nc 1.2.3.4 113 with no luck. Allowing the traffic on 11113 works, but the redirection is needed because it's ident.
#!/usr/bin/nft -f # /etc/nftables.conf flush ruleset table inet filter { chain input { type filter hook input priority 0; counter # allow established/related connections ct state {established, related} accept # early drop of invalid connections ct state invalid drop # allow from loopback iifname lo accept # allow icmp ip protocol icmp accept ip6 nexthdr icmpv6 accept # allow ssh tcp dport 12345 accept tcp dport 113 accept # everything else counter reject with icmp type port-unreachable } } table ip nat { chain prerouting { type nat hook prerouting priority 0; redirect tcp dport 113 counter redirect to 11113 } chain postrouting { type nat hook postrouting priority 0; } } table ip6 nat { chain prerouting { type nat hook prerouting priority 0; redirect tcp dport 113 counter redirect to 11113 } chain postrouting { type nat hook postrouting priority 0; } } # vim:set ts=2 sw=2 et: [link] [comments]