switch to legacy iptables
nft flush ruleset apt install iptables iptables-persistent update-alternatives --set iptables /usr/sbin/iptables-legacy update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy #update-alternatives --set arptables /usr/sbin/arptables-legacy #update-alternatives --set ebtables /usr/sbin/ebtables-legacy
define a “valid rule set” on the filter table - eth2 does not need to be forwarded
iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
# default policy
iptables -P FORWARD DROP
# always allow ICMP (no need for VRRP on the forward chain)
# whatever interface
iptables -A FORWARD -p icmp -j ACCEPT
# log those packets we have to drop during fail-over
# whatever interface
iptables -A FORWARD -m state --state INVALID -j LOG
# stateful only
iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# snat
iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -j SNAT --to-source 217.19.208.157
# dnat
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 50 -j DNAT --to-destination 10.1.0.50:22
save and reboot
iptables-save > /etc/iptables.rules vi /etc/rc.d/rc.local iptables-restore < /etc/iptables.rules
iptables-legacy-save > /etc/iptables/rules.v4 # we didn't define any ip6 rule #ip6tables-legacy-save > /etc/iptables/rules.v6 systemctl status netfilter-persistent # enabled
iptables v1.8.2 (nf_tables): Couldn't load match `state':No such file or directory
==> switch to iptables-legacy as shown above
https://linux.die.net/man/8/iptables
https://wiki.debian.org/iptables