Debian Networking – NAT with Masquerade on Different Interfaces Using Nftables

debiannetworkingnftables

I have a server that is connected to two network :

10.0.0.0/24 through an interface wlan0
192.168.1.0/24 through an interface eth0

I want to setup a Wireguard VPN to make both network accessible from outside. I activated ip forwarding in my config (with sysctl).
Now I need to setup a NAT in order to route my requests from the VPN server through the two local network.
I use nftables to setup the NAT.

My issue is, for a machine with only one interface, I would use the following configuration :

table ip nat {
    chain prerouting {
        type nat hook prerouting priority 0;
    }
    chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.2.0.0/24 oifname eth0 masquerade
    }
}

But here, I don't want to route everything through eth0, I want to specifically route everything meant for 10.0.0.0/24 through wlan0 and everything meant for 192.168.1.0/24 through eth0. How can I achieve this with nftables ?

Best Answer

I found the answer by myself in the end, so here is how to do it : You have to use the ip daddr parameter to filter by destination address. My final rule set is the following :

table ip nat {

        chain PREROUTING {
            type nat hook prerouting priority filter; policy accept;
        }
    
        chain POSTROUTING {
            type nat hook postrouting priority srcnat; policy accept;
            ip saddr 10.2.0.0/24 ip daddr 192.168.0.0/16 oifname "eth0" masquerade
            ip saddr 10.2.0.0/24 ip daddr 10.0.0.0/24 oifname "wlan0" masquerade
        }
}

This works perfectly.

Best Answer

Related Solutions

Debian – NAT Masquerade to a L2TP/IPSec connection

Typical port forwarding with nftables example

Related Topic