CentOS - nft route beetween two interfaces

Question

I have a server with 2 network cards. I want to route from the 192.168.0.0/24 network to the 192.168.112.0/24 network and back the same way. What am I doing wrong? I have already set forwarding. See below

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:07:32:79:e1:2d brd ff:ff:ff:ff:ff:ff
    inet 192.168.112.251/24 brd 192.168.112.255 scope global noprefixroute enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::207:32ff:fe79:e12d/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: enp0s31f6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:07:32:79:e1:2c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.21/24 brd 192.168.0.255 scope global noprefixroute enp0s31f6
       valid_lft forever preferred_lft forever
    inet6 fe80::207:32ff:fe79:e12c/64 scope link noprefixroute
       valid_lft forever preferred_lft forever

Here is the Firewall:

nft list ruleset

table ip nat { chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; counter packets 2552 bytes 466059 jump WEBSERVER_PREROUTING }

    chain OUTPUT {
            type nat hook output priority -100; policy accept;
            counter packets 752 bytes 71689 jump WEBSERVER_OUTPUT
    }

    chain WEBSERVER_PREROUTING {
            tcp dport 80 counter packets 61 bytes 3172 meta mark set 0x0005face
            tcp dport 80 counter packets 61 bytes 3172 redirect to :8080
            tcp dport 443 counter packets 0 bytes 0 meta mark set 0x0005face
            tcp dport 443 counter packets 0 bytes 0 redirect to :8181
    }

    chain WEBSERVER_POSTROUTING {
    }

    chain WEBSERVER_OUTPUT {
            oifname "lo" tcp dport 80 counter packets 0 bytes 0 redirect to :8080
            oifname "lo" tcp dport 443 counter packets 14 bytes 728 redirect to :8181
    }

    chain INPUT {
            type nat hook input priority 100; policy accept;
    }

    chain POSTROUTING {
            type nat hook postrouting priority srcnat; policy accept;
    } } table ip filter {
    set DENYLIST {
            type ipv4_addr
            flags interval
    }

    chain INPUT {
            type filter hook input priority filter; policy accept;
            counter packets 148804 bytes 44992337 jump ATTACKER-DETECTION
            counter packets 148804 bytes 44992337 jump RH-FIREWALL-1-INPUT
            counter packets 59434 bytes 26101045 jump DYNAMIC-PORTS
            ct state established,related counter packets 56789 bytes 25666535 accept
            ip protocol icmp counter packets 2 bytes 128 accept
            iifname "lo" accept
            ct state new tcp dport 22 counter packets 1 bytes 52 accept
            counter packets 2121 bytes 406163 reject with icmp type host-prohibited
            counter packets 0 bytes 0 drop
    }

    chain FORWARD {
            type filter hook forward priority filter; policy accept;
    }

    chain OUTPUT {
            type filter hook output priority filter; policy accept;
    }

    chain ATTACKER-DETECTION {
            ip saddr @DENYLIST drop
    }

    chain RH-FIREWALL-1-INPUT {
            ct state new tcp dport 8181 meta mark 0x0005face counter packets 0 bytes 0 accept
            ct state new tcp dport 8080 meta mark 0x0005face counter packets 61 bytes 3172 accept
            tcp dport 3090 counter packets 0 bytes 0 accept
            udp dport 3090 counter packets 0 bytes 0 accept
            tcp dport 5060 counter packets 0 bytes 0 accept
            udp dport 5060 counter packets 2636 bytes 1871597 accept
            tcp dport 5061 counter packets 0 bytes 0 accept
            udp dport 5061 counter packets 0 bytes 0 accept
            tcp dport 5222 counter packets 386 bytes 20195 accept
            tcp dport 5223 counter packets 0 bytes 0 accept
            tcp dport 50080 counter packets 1838 bytes 145048 accept
            tcp dport 50081 counter packets 0 bytes 0 accept
            udp dport { 10000-20000 } counter packets 84448 bytes 16851228 accept
            ip saddr 10.0.0.0/8 ct state new tcp dport 5038 counter packets 0 bytes 0 accept
            ip saddr 172.16.0.0/12 ct state new tcp dport 5038 counter packets 0 bytes 0 accept
            ip saddr 192.168.0.0/16 ct state new tcp dport 5038 counter packets 1 bytes 52 accept
            ip saddr 10.0.0.0/8 ct state new tcp dport 5038 counter packets 0 bytes 0 accept
            ip saddr 172.16.0.0/12 ct state new tcp dport 5038 counter packets 0 bytes 0 accept
            ip saddr 192.168.0.0/16 ct state new tcp dport 5038 counter packets 0 bytes 0 accept
    }

    chain DYNAMIC-PORTS {
            ct state new udp dport 123 counter packets 25 bytes 1900 accept
    } } table ip6 filter {
    chain INPUT {
            type filter hook input priority filter; policy drop;
            ct state invalid counter packets 0 bytes 0 drop
            ct state established,related counter packets 4448 bytes 3102896 accept
            iifname "lo" counter packets 183 bytes 31252 accept
            iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop
    }

    chain FORWARD {
            type filter hook forward priority filter; policy drop;
    }

    chain OUTPUT {
            type filter hook output priority filter; policy drop;
            oifname "lo" counter packets 4631 bytes 3134148 accept
    } }

[root@root~]# sysctl net.ipv4.ip_forward

net.ipv4.ip_forward = 1

CentOS - nft route beetween two interfaces

0 Answers0