Help route internet from usb tether to lan - nat, routes & nftables

Posted by DBAGibbz@reddit | linuxadmin | View on Reddit | 2 comments

Im trying to setup my box to route internet from end0 (192.168.1.6) to internet on usb0 (dhcp). Im running dns & dhcp via docker adguard - but assume thats not working for now because once the nftable rules are applied I cannot access their web interfaces. But for now ping with ip is okay.

With my current setup I can ping the internet from the ‘router’ via the interface usb0. But I cannot ping from the interface end0.

ping 8.8.8.8 -I usb0 ← works
ping 8.8.8.8 -I end0 ← Destination Host Unreachable

Do I need to setup any static routes? Or should nftables handle all the routing? Ive tried several guides with various nftable rules, but none of them work:

my network config:

usb0:
[Match]
Name=usb0

[Network]
DHCP=yes


end0:
[Match]
Name=end0

[Network]
Address=192.168.1.6/24

my nftables:

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                iif "end0" oif "usb0" accept
                iif "usb0" oif "end0" accept
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table ip nat {
        chain prerouting {
                type nat hook prerouting priority filter; policy accept;
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif "usb0" masquerade
        }
}

my routes:

my routes:
default via 192.168.102.208 dev usb0 
default via 192.168.102.208 dev usb0 proto dhcp src 192.168.102.114 metric 1024 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown <- docker?
172.18.0.0/16 dev br-cc00a7d88795 proto kernel scope link src 172.18.0.1 <- docker?
192.168.1.0/24 dev end0 proto kernel scope link src 192.168.1.6 
192.168.102.0/24 dev usb0 proto kernel scope link src 192.168.102.114 metric 1024 
192.168.102.208 dev usb0 proto dhcp scope link src 192.168.102.114 metric 1024 
default via 192.168.102.208 dev usb0 
default via 192.168.102.208 dev usb0 proto dhcp src 192.168.102.114 metric 1024 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown <- docker?
172.18.0.0/16 dev br-cc00a7d88795 proto kernel scope link src 172.18.0.1 <- docker?
192.168.1.0/24 dev end0 proto kernel scope link src 192.168.1.6 
192.168.102.0/24 dev usb0 proto kernel scope link src 192.168.102.114 metric 1024 
192.168.102.208 dev usb0 proto dhcp scope link src 192.168.102.114 metric 1024

[-]

shikkonin@reddit

Did you turn on IP forwarding so that your boxes actually routes? Nothing in your description hints to any routing taking place anywhere.

meditonsin@reddit

Im running dns & dhcp via docker adguard - but assume thats not working for now because once the nftable rules are applied I cannot access their web interfaces.

Assuming your nftables.conf starts with flush ruleset, that's because you're flushing the rules docker created for itself via iptables. Mixing docker and nftables in a pain in the ass.

Do I need to setup any static routes?

Not for directly reachable networls. But did you set the net.ipv4.ip_forward sysctl to 1? If not, there won't be any routing regardless.

Or should nftables handle all the routing?

nftables doesn't do any routing. It just allows or blocks it.

    chain forward {
            type filter hook forward priority filter; policy accept;
            iif "end0" oif "usb0" accept
            iif "usb0" oif "end0" accept
    }

The interface specific rules are redundant with policy accept; at the top. That already allows all forwarding.