Nftables nat: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 3: | Zeile 3: | ||
*cat /etc/kea/kea-dhcp4.conf | *cat /etc/kea/kea-dhcp4.conf | ||
{ "hw-address": "aa:bb:cc:dd:ee:ff", "ip-address": "172.26.2XX.10", "hostname": "client" } | { "hw-address": "aa:bb:cc:dd:ee:ff", "ip-address": "172.26.2XX.10", "hostname": "client" } | ||
| − | + | ;Neustart nicht vergessen | |
| + | *systemctl restart kea-dhcp4-server.service | ||
| Zeile 27: | Zeile 28: | ||
<span style="color:#FF0000">chain prerouting {</span> | <span style="color:#FF0000">chain prerouting {</span> | ||
<span style="color:#FF0000">type nat hook prerouting priority dstnat; policy accept;</span> | <span style="color:#FF0000">type nat hook prerouting priority dstnat; policy accept;</span> | ||
| − | <span style="color:#FF0000">ip daddr $wanip tcp dport 9922 dnat ip to $ | + | <span style="color:#FF0000">ip daddr $wanip tcp dport 9922 dnat ip to $CLIENT:22</span> |
<span style="color:#FF0000">}</span> | <span style="color:#FF0000">}</span> | ||
Aktuelle Version vom 8. Mai 2026, 05:19 Uhr
DNAT zum client
- Zuerst dem Client über dhcp eine feste IP zu teilen
- cat /etc/kea/kea-dhcp4.conf
{ "hw-address": "aa:bb:cc:dd:ee:ff", "ip-address": "172.26.2XX.10", "hostname": "client" }
- Neustart nicht vergessen
- systemctl restart kea-dhcp4-server.service
- Man soll über den port 9922 und der äusseren Ip der Firewall per ssh auf den Client auf Port 22 zugreifen
define CLIENT = 172.26.2XX.10 table inet filter { .... chain forward { type filter hook forward priority filter; policy drop; ct state established,related accept ... ct state new iif $WANDEV oif $LANDEV ip daddr $CLIENT tcp dport 22 accept log prefix "--nftables-drop-forward--" }
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip daddr $wanip tcp dport 9922 dnat ip to $CLIENT:22
}