I'm trying to route incoming http internet traffic to [::1]:8080 which is where my http server binds to. I'm using nftables on an IPv6-only device. If I add following rules:
sudo nft flush ruleset
sudo nft add table ip6 nat
sudo nft add chain ip6 nat prerouting { type nat hook prerouting priority 0 \; }
sudo nft add chain ip6 nat postrouting { type nat hook postrouting priority 100 \; }
sudo nft add rule ip6 nat prerouting ip6 daddr [global-ip6] tcp dport 80 dnat to ::1 :8080
sudo nft list ruleset
with resulting ruleset:
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
ip6 daddr [global-ip6] tcp dport http dnat to [::1]:http-alt
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
}
}
then requests to [global-ip6]:80 get swallowed (there is no connection refused error) but no connection is established.
If I use one of the rules
sudo nft add rule ip6 nat prerouting tcp dport 80 redirect to 8080
or
sudo nft add rule ip6 nat prerouting ip6 daddr [global-ip6] tcp dport 80 dnat to [global-ip6] :8080
and bind my program to [global-ip6]:8080, then communication works as expected.
Do you have an idea what I am missing? I tried out some rules in the postrouting and input chains but couldn't get it to work. Back with IPv4 and iptables I had to do sudo sysctl -w net.ipv4.conf.all.route_localnet=1, maybe there is a similar IPv6 flag?
