ddevz
August 8, 2023, 2:39pm
1
nft add rule ip nat PREROUTING iifname "eth0" ip daddr 192.168.x.y tcp dport 443 counter dnat to 10.137.1.z
would be the nft translation of the recommended command for port forwarding in 4.1, which was:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 443 -d 192.168.x.y -j DNAT --to-destination 10.137.1.z
However, that does not work. However, this says that custom-input and custom-forward chains should be used:
DomU firewalls have completely switched to nftables. Users should add their custom rules to the custom-input and custom-forward chains. (#5031 , #6062 )
With no example how to use them. Any help?
The recommended version for 4.1 came from:
Understanding firewalling in Qubes Every qube in Qubes is connected to the network via a FirewallVM, which is used to enforce network-level policies. By default there is one default FirewallVM, but the user is free to create more, if needed. For more...
You might need to put prerouting in all lower case. A Stack Exchange user had a similar problem: debian - NFTable clarification - Unix & Linux Stack Exchange