This is going to be one another post about the iptables-translate utility. This post is going to cover the importance of this tool and how it can be used to translate different kinds of targets and matches of iptables with examples.
The first translation that I provided was for the match “mark”. For those unfamiliar with iptables, you use this module to match the netfilter mark field associated with a packet.
In iptables, one writes a rule corresponding to this as simply as
# iptables -A FORWARD -m mark --mark 22 -j ACCEPT
However, in nftables, this rule turns out to be even simpler.
# nft add rule ip filter FORWARD mark 0x16 accept
Note that if a table is not specified in the beginning of any rule, the default table is taken to be ‘filter’ in case of iptables. However it is necessary to mention the type (ip, ip6, etc) and the table name in case of nftables.
See how the translation has taken place:
|FORWARD||ip filter FORWARD|
|-m mark –mark 22||mark 0x16|
Quite simple, right?
Now, see the iptables rule for routing realm. This module matches any given realm number. It is used in complex routing setups involving dynamic routing protocols like BGP.
# iptables -A PREROUTING -m realm --realm 4
Going by the aforementioned procedure, we can easily come up with nftables rule as
# nft add rule ip filter PREROUTING realm 0x4
Easiest stuff ever!
But wait. What is this weird message on my terminal?
Seems like things aren’t piece of cake. What do we do now? We have no information about routing realm.
People, hold your breaths. Here comes the savior…
This utility will always come for rescue , I bet.*
*T&C: provided I have completed the translation corresponding to that module
So, now that we have our hero, all we have to do is
$ sudo iptables-translate -A PREROUTING -m realm --realm 4
and then we have on the terminal,
nft add rule ip filter PREROUTING rtclassid 0x4 counter
Try adding this rule to your chain. Congrats! No weird looking errors this time.
[iptables-translate: Oh, come on. There’s no need for claps. No. Seriously.]
So, this is why you are going to need this utility. There is a lot of change in the syntax which is actually better and more understandable but you need to know the exact keywords.
This tool is pretty good and very very easy to use. Try it out and report the bugs if you come across any.
Thanks for reading.