Ubuntu 시스템에서 iptables 규칙을 nftables 규칙으로 변환하는 방법을 알아내려고 합니다.
자동 변환기를 사용하여 iptable을 nftable로 변환하려고 시도했지만 작동하지 않는 것 같습니다.
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; ip6tables -A INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; ip6tables -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ uname -r
5.4.0-1069-azure
$ nft -v
nftables v0.9.8 (E.D.S.)
$ iptables-translate -V
iptables-translate v1.8.7 (nf_tables)
$ ip6tables-translate -V
ip6tables-translate v1.8.7 (nf_tables)
번역하다
iptables -A FORWARD -i wg0 -j ACCEPT
nft add rule ip filter FORWARD iifname "wg0" counter accept
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip nat POSTROUTING oifname "eth0" counter masquerade
iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 53 ct state new counter accept
ip6tables -A FORWARD -i wg0 -j ACCEPT
nft add rule ip6 filter FORWARD iifname "wg0" counter accept
ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip6 nat POSTROUTING oifname "eth0" counter masquerade
ip6tables -A INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip6 filter INPUT ip6 saddr fd00::/8 udp dport 53 ct state new counter accept
---
iptables -D FORWARD -i wg0 -j ACCEPT
$ iptables-translate -D FORWARD -i wg0 -j ACCEPT
Translation not implemented
iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
$ iptables-translate -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Translation not implemented
iptables -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ iptables-translate -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Translation not implemented
ip6tables -D FORWARD -i wg0 -j ACCEPT
$ ip6tables-translate -D FORWARD -i wg0 -j ACCEPT
Translation not implemented
ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
$ ip6tables-translate -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Translation not implemented
ip6tables -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ ip6tables-translate -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Translation not implemented
달리기
$ nft add rule ip filter FORWARD iifname "wg0" counter accept
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD iifname wg0 counter accept
^^^^^^
규칙을 개선할 수 있다면 그렇게 하십시오. 포트를 지정하고 싶지만 iptables나 nftables에는 능숙하지 않습니다.