netfilter-full-cone-nat/README.md

104 lines
3.2 KiB
Markdown
Raw Normal View History

2018-01-20 05:54:57 +00:00
2018-01-21 06:54:03 +00:00
Implementation of RFC3489-compatible full cone SNAT.
2018-01-20 05:54:57 +00:00
2018-01-20 19:20:12 +00:00
Assuming eth0 is external interface:
2018-01-20 12:37:58 +00:00
```
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE
2018-01-20 19:20:12 +00:00
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets
2018-01-20 12:37:58 +00:00
```
2018-01-20 19:20:12 +00:00
Currently only UDP traffic is supported for full-cone NAT. For other protos FULLCONENAT is equivalent to MASQUERADE.
2018-01-20 12:37:58 +00:00
Build
======
Prerequisites:
* kernel source
* iptables source (git://git.netfilter.org/iptables.git)
Replace `xt_FULLCONENAT.c` with `xt_FULLCONENAT-old-kernel.c` if your kernel version is somehow below 4.1x and have issue compiling the module source.
Kernel Module (as standalone module)
-------------
```
$ make
# insmod xt_FULLCONENAT.ko
```
Kernel Module (in-tree building)
2018-01-20 12:37:58 +00:00
-------------
1. Copy xt_FULLCONENAT.c to `kernel-source/net/netfilter/xt_FULLCONENAT.c`
2. Append following line to `kernel-source/net/netfilter/Makefile`:
```
obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o
```
2018-02-09 06:09:06 +00:00
3. Insert following section into `kernel-source/net/ipv4/netfilter/Kconfig` right after `config IP_NF_TARGET_NETMAP` section:
2018-01-20 12:37:58 +00:00
```
config IP_NF_TARGET_FULLCONENAT
tristate "FULLCONENAT target support"
depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_FULLCONENAT
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.
```
2018-02-09 06:09:06 +00:00
4. Insert following section into `kernel-source/net/netfilter/Kconfig` right after `config NETFILTER_XT_TARGET_NETMAP` section:
2018-01-20 12:37:58 +00:00
```
config NETFILTER_XT_TARGET_FULLCONENAT
tristate '"FULLCONENAT" target support'
depends on NF_NAT
---help---
Full Cone NAT
To compile it as a module, choose M here. If unsure, say N.
```
5. `cd` into the kernel source directory and prepare a working kernel config. This can be done by exporting from your current system:
```
zcat /proc/config.gz > .config
```
2018-01-20 05:54:57 +00:00
2018-01-20 12:37:58 +00:00
6. Run `make menuconfig` and select:
Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> <M> FULLCONENAT target support
7. Prepare for building: `make prepare`
8. Run `make` to build the kernel source. Alternatively, run `make modules SUBDIRS=net/netfilter` to build only the netfilter modules.
9. Run `make modules_install` to install all built modules. Alternatively, manually load the xt_FULLCONENAT module by `insmod net/netfilter/xt_FULLCONENAT.ko`.
IPtables extension
------------------
1. Copy libipt_FULLCONENAT.c and libipt_FULLCONENAT.t to `iptables-source/extensions`.
2018-02-09 06:09:06 +00:00
2. Under the iptables source directory, `./configure`(use `--prefix` to replace your current `iptables` by looking at `which iptables`), `make` and `make install`
2018-01-20 12:37:58 +00:00
Usage
=====
2018-01-20 19:20:12 +00:00
Assuming eth0 is external interface:
2018-01-20 12:37:58 +00:00
Basic Usage:
```
2018-01-20 19:20:12 +00:00
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
2018-01-20 05:54:57 +00:00
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
2018-01-20 12:37:58 +00:00
```
Random port range:
```
iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT
```