0

I'm trying to learn nftables/nat and have some simple experimental setup:

Machine1 (router):
    - eth0 192.168.0.1
    - eth1 192.168.1.1

Machine2:
    - eth0 192.168.1.2

For Machine1 I setup NAT:

table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                ip daddr 192.168.1.2 counter packets 0 bytes 0
                ip saddr 192.168.1.2 counter packets 6 bytes 420
                ip saddr 192.168.1.0/24 oif "eth0" snat to 192.168.0.1
        }
}

NAT works fine, I can access 192.168.0.1 (and beyond) from Machine2.

However, I struggle with the counter: The numbers above are from a wget stackoverflow.com from Machine2, and are way below what ls -l index.html is telling (~180k). I could imaging, that these are just the outgoing bytes/packets, incoming are just not counted (I added the daddr counter in hope to get these).

What am I missing?

user236012
  • 117
  • 2
  • 10

1 Answers1

0

When a connection goes through NAT, the connection is processed with the help of connection tracking. This means that only initial packets for the connection (SYN, SYN-ACK, ACK) pass through the NAT rule.

Rest of the packets are processed with the connection tracking entry that is set up when NAT is started.

If you want to count packets, you need to add rules to filter table FORWARD chain.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • 1
    Actually only the first packet is going through NAT (for TCP that's the SYN packet). Even SYN-ACK and ACK are part of a conntrack entry already existing and altered for NAT operations by the only time nftables' nat rule saw the first packet (in a conntrack entry in NEW state). These following packets are in the same conntrack entry thus not in NEW state anymore thus not going again through nftables' nat. – A.B Mar 05 '22 at 10:20