in a kvm host running rhel8 I have some input and forwarding rules working fine, but now I would like to masquerade traffic of a specific brigde virbr0 to reach the internet without using the forwarding chain. So vms or system containers not using this virbr0 bridge should not masquerade their outgoing traffic.
This virbr0 bridge has an ip 192.168.100.1/24. A vm using this bridge has 192.168.200.2/24, with its default gw the ip address of virbr0. From the vm I can resolve dns queries pointing to a dns resolver on the kvm host.
This is my nft list ruleset
table inet host {
chain input {
type filter hook input priority filter; policy drop;
iif lo accept
ct state established,related accept
iifname eth0 tcp dpor { port, port } accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
# several rules similar to this one
iifname other-brige oifname tun0 ip saddr x.x.x.x/xx ip daddr { set addresses } tcp dports { set ports } accept
# here I allow http traffic coming from virbr0 or it will be dropped by nftables (seen in log)
iifname virbr0 oifname gw0 tcp dport { 80, 443 } accept
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority filter; policy accept;
}
chain postrouting {
type nat hook postrouting priority mangle; policy accept;
oifname virbr0 masquerade
}
}
I must be doing something wrong because I see the traffic going out of the correct interface on the kvm host, but it's probably not masquerading correctly, so the internet host does not know what to do wit it and drops it.
