On Thu, Oct 26, 2023 at 10:00:08PM +0700, Max Nikulin wrote: > On 26/10/2023 17:06, Martin wrote: > > On Thu, Oct 26, 2023 at 09:54:22AM +0700, Max Nikulin wrote: > > > > > > #!/usr/sbin/nft -f > > > table inet sharedconnection {} > > > flush table inet sharedconnection > > > table ip sharedconnection { ... } from above
> I wrote "FILE" in caps trying to express that you can choose any name. > Debian has /etc/nftables.conf and nft supports the "include" directive, see > nft(8). So you may put your file to /etc or to create a dedicated directory, > e.g. /etc/nftables.conf.d, for your settings and include your file from the > main conf file, so it should be applied on each boot by nftables.service. > You may put "table ip shared ..." content directly into /etc/nftables.conf > as well, however I prefer to minimize changes in files provided by packages > when it is possible to use additional ones. > By the way, since you have dnsmasq running, you may enable its DHCP server > (dhcp-range=192.168.231.5,192.168.231.254) and may switch mi router from > static network configuration to DHCP. Sorry for long pause in reply (my hard disk was dieing so I replaced HD and installed whole debian from scratch). Now (after reinstall everything) I am the point where I want to make my router to work. I set up dnsmasq to enable DHCP with line in config: dhcp-range=192.168.231.241,192.168.231.254,12h and reseted my WiFi router after little configuring with my phone I can connect my phone to WiFi router and to my computer (that still has address 192.168.231.3). I can access http server on my computer when I type in my phone address to connect in web browser: http://192.168.231.3/text.html (I created on my computer file /var/www/html/test.html) That is all without changing anything with nft program. I created a file with exatly this content: #!/usr/sbin/nft -f table ip masqrule {} flush table ip masqrule table ip masqrule { chain postrouting { type nat hook postrouting priority srcnat; policy accept; ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade } } When I execute this file with sudo unfortunately nothing changes, I can not connect to the internet (trying www.google.com from phone). [[ this is about old system I had on old HD: I remeber before reinstalling whole system at this point I had connection from my phone to the internet (I could see google and then some videos on youtube worked too on the phone) After I rebooted my old system I could not connect to internet anymore from the phone. I slightly changed the script from your post to current state (namely using ip allways instead of inet at first two lines of script and using 'masqrule'as table name) I thing those changes are ok. ]] I have no idea what else should I try to make this work. Maybe I forgot to issue some command (but I do not think so). BTW putting above script into /etc/nftables.conf (at the bottom of file) did not ever worked - I had always to run that file manualy as root. Command 'nft list ruleset' only then showed this table. I have no idea why. To me it seemed as if /etc/nftables.conf file was not executed (I have rebooted many times so this file should run). Bye Martin My current network connections, and 'ip route' command: (I see 2 changes from my prevoius setup: missing tun0 and br-7bfdce95ff27 they were before created automaticaly so I hope it does not matter they are not present now - both where doing local addresses 10.1.1.1/24 and 172.18.0.1/16, maybe they will appeear when I install more programs from repository - i am not worried about them, just mentioning to be complete) root@redmoon:~# ip address list 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0 valid_lft forever preferred_lft forever inet6 fe80::e2d5:5eff:fe73:c9d3/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 3: wlxe8de27a5ab1c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c valid_lft 591334sec preferred_lft 591334sec inet6 fe80::eade:27ff:fea5:ab1c/64 scope link proto kernel_ll valid_lft forever preferred_lft forever 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:33:88:62:ce brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever root@redmoon:~# ip route default via 192.168.0.1 dev wlxe8de27a5ab1c 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 192.168.0.0/24 dev wlxe8de27a5ab1c proto kernel scope link src 192.168.0.16 192.168.231.0/24 dev enp3s0 proto kernel scope link src 192.168.231.3