nft add table ip nat
nft add chain nat POSTROUTING { type nat hook postrouting priority 0\; }
nft add chain nat PREROUTING { type nat hook prerouting priority 0\; }
Например LAN: 172.16.181.0/24
SNAT, если внешний IP – статический
nft add rule nat POSTROUTING oifname eth0 ip saddr 172.16.181.0/24 counter snat to 18.187.61.156
Если адрес WAN – динамический, используем masquerade
nft add rule nat POSTROUTING oifname eth0 ip saddr 172.16.181.0/24 counter masquerade
nft add rule ip nat PREROUTING iif vmbr0 tcp dport { 80, 443 } dnat to 172.16.2.2
nft add rule ip nat PREROUTING iif vmbr0 tcp dport 2222 dnat to 172.16.2.2:22
Все, что приходит на vmbr0 с моих IP на порт 22 пробросить 172.16.16.4:22
nft add rule ip nat PREROUTING iifname "vmbr0" ip saddr 178.150.69.156 tcp dport 2222 dnat to 172.16.16.4:22
Прописать в файл /etc/nftables.conf
iifname "vmbr0" ip saddr { 178.150.69.156, 176.37.155.208} tcp dport 2222 dnat to 172.16.16.4:22
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority filter; policy accept;
oifname "vmbr0" ip saddr 172.16.16.0/24 counter masquerade
}
chain PREROUTING {
type nat hook prerouting priority filter; policy accept;
iif "vmbr0" udp dport 1194 counter dnat to 172.16.16.2
}
}