NAT Setup Guide Using nftables for Kloudust Cloud - TekMonksGitHub/kloudust GitHub Wiki

This guide covers the steps to configure NAT for VM endpoints in the Tekmonks Kloudust cloud using nftables, leveraging a VxLAN-based bridge for internet access.

Step 1: Create the VxLAN for Internet Host Fleet

Use the approach from the createVLAN script:

# Create a VxLAN interface
ip link add vinettest type vxlan id 42 dev eno2 remote <PEER_IP> dstport 4789
ip link set vinettest up

Step 2: Create the Internet Bridge on the host

Create a bridge interface to connect the VxLAN:

ip link add name vinettest_br type bridge
ip link set dev vinettest_br up

Attach the VxLAN interface to the bridge:

ip link set dev vinettest master vinettest_br

Assign an IP address to the bridge:

ip addr add 10.0.0.1/24 dev vinettest_br

Step 3: Create Virtual Ethernet Pair (veth) on the host

Set up a virtual Ethernet pair for VM connectivity:

ip link add dev vm_a type veth peer name vm_b

Attach one end (vm_b) to the bridge:

ip link set dev vm_b master vinettest_br
ip link set vm_b up

Move the other end (vm_a) to the VM's network namespace:

ip link set vm_a netns <VM_NAMESPACE>

💡 Alternatively, attach the bridge directly to the VM’s network interface in your virtualization platform.

Step 4: Configure nftables for NAT on the host

Start by flushing any existing nftables rules:

nft flush ruleset

Create the NAT table and necessary chains:

nft add table nat
nft 'add chain nat postrouting { type nat hook postrouting priority 100; }'
nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'

Step 5: Configure SNAT (Source NAT) on the host

Enable SNAT for outbound traffic from VMs to appear as originating from the internet-facing interface (eno2):

Make sure IP forwarding is enabled on the host.

sysctl -w net.ipv4.ip_forward=1

Then issue these commands.

nft 'add rule nat postrouting ip saddr 10.0.0.0/24 ip daddr != 10.0.0.0/24 oif eno2 masquerade;'
nft 'add rule nat postrouting ct state { established, related } accept;'

Step 6: Set Default Gateway in the VM

Inside the VM, set the default route to the internet bridge:

ip route add default via 10.0.0.1 dev vm_a

Step 7: Configure DNAT (Destination NAT) for Inbound Access on the host

Configure DNAT to forward external traffic to the VM:

  • Port-based DNAT:
nft 'add rule nat prerouting iif eno2 tcp dport {8000} dnat to 10.0.0.11;'
  • IP-based DNAT:
nft 'add rule nat prerouting iif eno2 ip daddr 91.232.105.77 dnat to 10.0.0.11;'
  • Handle established/related connections:
nft 'add rule nat prerouting ct state { established, related } accept;'

Example nftables NAT Ruleset at the host

Here’s a complete example ruleset:

table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 10.0.0.0/24 ip daddr != 10.0.0.0/24 oif "eno2" masquerade
		ct state { established, related } accept
	}
	chain prerouting {
		type nat hook prerouting priority dstnat; policy accept;
		iif "eno2" ip daddr 91.232.105.77 dnat to 10.0.0.11
		ct state { established, related } accept
	}
}

Summary

✅ VxLAN and bridge (vinettest_br) connect KD hosts for internet access.
✅ VM endpoints connected via veth pairs to the bridge.
nftables used for SNAT and DNAT.
✅ VM routes configured for default gateway.

(C) Tekmonks

⚠️ **GitHub.com Fallback** ⚠️