0

I need intercept traffic going to external IP and reroute it to localhost. Its quite simple using iptables, but I could not understand how to make it work through nft. I create table and chain inside nft, but could not create rule, nft says Operation not supported.

Tables

sudo /usr/sbin/nft list ruleset
table ip filter {
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

Rule

sudo /usr/sbin/nft  add rule ip filter OUTPUT ip daddr $EXTERNAL_ADDRESS counter dnat to 127.0.0.1
Error: Could not process rule: Operation not supported

Kernel modules

lsmod | grep nf_tables
nf_tables             360448  1 nft_nat
libcrc32c              12288  3 nf_conntrack,nf_nat,nf_tables
nfnetlink              20480  1 nf_tables

What wrong with my rule, or could it made simple?

zealot
  • 3

1 Answers1

1

Assign the IP address to the host. Routing all traffic is what the forwarding table is for, firewall can do it, but that is often not necessary.

For example, assigning an IP address I made up to loopback on Linux:

  ip a add 2001:db8:114:6402::1020 dev lo

As a one host route, it will take priority even if it normally exists elsewhere on the internet. On a loopback interface, other hosts will not know about it, only reachable by traffic "leaving" the same host.

If the host is a router, decide whether you want this advertised to other routers or not.

Exercises for the reader: register this in IPAM and DNS. Make it persistent with your distro's network manager.

John Mahowald
  • 36,071