1

Can someone please help in converting the below iptable rules to equivalent nftables rules?

I have already tried to use iptables-translate, but it is not translating all of my rules...

# accept ports 500 and 4500, required for IKEv2
sudo iptables -A INPUT -p udp --dport  500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT

# forward ESP
sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.1.1.1/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.1.1.1/24 -j ACCEPT

# more forwarding
sudo iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.1.1.1/24 -o eth0 -j MASQUERADE

# fix fragmentation
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.1.1.1/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

Any help would be much appreciated.

Improve this question
3
  • Please clarify your specific problem or provide additional details to highlight exactly what you need. As it's currently written, it's hard to tell exactly what you're asking.
    – Community Bot
    Commented Mar 29, 2022 at 10:40
  • I am looking for assistance to convert the listed iptable commands to equivalent nftable rules... So instead of executing sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT What would be the equivalent command for nftables? Something like sudo nft add xxxxxxxxx
    – user2837961
    Commented Mar 29, 2022 at 13:12
  • Looks like homework: I didn't try [to understand] anything, let's ask SU to do it for me.
    – A.B
    Commented Apr 29, 2022 at 16:59

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .