Firewall rules (iptables) not working on Rocky Linux 8 with nftables

Rocky Linux Help & Support
1

Hello,

I am facing an issue when trying to apply firewall rules on Rocky Linux 8.10, where the traffic redirection (DNAT) rules that work correctly on CentOS 7 using iptables are not functioning on Rocky Linux 8.10, which uses nftables by default.

Environment Configuration:

  • Operating system: Rocky Linux 8.10
  • Firewall: nftables (enabled by default on Rocky Linux 8.10)
  • Firewall rules I am trying to apply:
    • Redirect TCP traffic arriving at port 5432 (PostgreSQL) from a specific IP (192.168.0.101) to another IP in the same network (192.168.0.102) and to the destination machine (192.168.0.103).

Problem Description:
On CentOS 7, I am able to apply the rules successfully using iptables, and the traffic is redirected correctly. However, when I apply the same rules on Rocky Linux, the traffic is not being redirected as expected.

On Rocky Linux, the system is using nftables, and when I try to apply the rules through iptables (whether using iptables or iptables-nft), they do not seem to work properly.

Steps I’ve taken so far:

  1. I enabled IP forwarding with the line net.ipv4.ip_forward = 1 in the /etc/sysctl.conf file and applied it with sysctl -p, ensuring IP forwarding is enabled.

  2. I made sure the necessary modules for both iptables and nftables are loaded, including nf_conntrack, nf_conntrack_ipv4, and nf_nat.

  3. I tested the rules using the iptables-nft command and also tried configuring directly with nft (but with no success).

  4. I tried disabling nftables to use only iptables, but the issue persists.

  5. firewalld disabled and mask.

Firewall rules I am applying (iptables on CentOS 7):

bash

CopiarEditar

# Enable IP forwarding (if not already done)
sysctl -w net.ipv4.ip_forward=1

# Add rule to redirect traffic from IP 192.168.0.101 on port 5432 to 192.168.0.103 on the same port
iptables -t nat -A PREROUTING -p tcp --dport 5432 -s 192.168.0.101 -j DNAT --to-destination 192.168.0.103:5432

# Ensure that the response to redirected traffic is sent back correctly
iptables -t nat -A POSTROUTING -p tcp --dport 5432 -d 192.168.0.103 -j MASQUERADE

Observed errors:

  • No explicit errors in system logs, but the traffic is not being redirected as expected.

Questions:

  1. Has anyone encountered similar issues when using nftables instead of iptables on Rocky Linux 8?
  2. Is there any special configuration I should perform to ensure that iptables rules work properly with nftables on Rocky Linux?
  3. Is it possible that the versions of nftables and iptables on Rocky Linux 8 are causing some conflict? How can I resolve this?
  4. Are there any other details or dependencies that might be affecting traffic redirection on Rocky Linux 8?

I would appreciate any guidance or suggestions to resolve this issue.

Best regards,

2

The tool ‘iptables’ is a wrapper/translator that reads your “iptables syntax” and creates equivalent nftables rules into the kernel. The translation is said to not be 100% complete.

You can see all the rules that are in the kernel with:

nft list ruleset

Did you also allow traffic to go through in forward filter with something like ct status dnat accept
(or ip daddr 192.168.0.103 tcp dport 5432 accept)?

3

I didn’t just write in iptables, and I noticed that the failure occurs and it doesn’t forward, I’m going to rewrite it in nftables now, following the new standard to validate

4

I rewrote the rules in nftables and it worked, the iptables-legacy → nftables integration is not 100% working, I am handling rules in iptables-legacy, until I convert them all to nftables.

Thanks for the support.