3.5 KiB
Implementation of RFC3489-compatible full cone SNAT.
Assuming eth0 is external interface:
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets
Currently only UDP traffic is supported for full-cone NAT. For other protos FULLCONENAT is equivalent to MASQUERADE.
Build
Prerequisites:
- kernel source
- iptables source ( git://git.netfilter.org/iptables.git )
Confirm the kernel configuration option CONFIG_NF_CONNTRACK_EVENTS
is enabled. If this option is disabled on your system, enable it and rebuild your netfilter modules.
Kernel Module (As a thrid-party module. Recommended.)
$ make
# insmod xt_FULLCONENAT.ko
Kernel Module (In-tree building. Optional.)
- Copy xt_FULLCONENAT.c to
kernel-source/net/netfilter/xt_FULLCONENAT.c
- Append following line to
kernel-source/net/netfilter/Makefile
:
obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o
- Insert following section into
kernel-source/net/ipv4/netfilter/Kconfig
right afterconfig IP_NF_TARGET_NETMAP
section:
config IP_NF_TARGET_FULLCONENAT
tristate "FULLCONENAT target support"
depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_FULLCONENAT
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.
- Insert following section into
kernel-source/net/netfilter/Kconfig
right afterconfig NETFILTER_XT_TARGET_NETMAP
section:
config NETFILTER_XT_TARGET_FULLCONENAT
tristate '"FULLCONENAT" target support'
depends on NF_NAT
---help---
Full Cone NAT
To compile it as a module, choose M here. If unsure, say N.
cd
into the kernel source directory and prepare a working kernel config. This can be done by exporting from your current system:
zcat /proc/config.gz > .config
-
Run
make menuconfig
and select: Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> FULLCONENAT target support -
Prepare for building:
make prepare
-
Run
make
to build the kernel source. Alternatively, runmake modules SUBDIRS=net/netfilter
to build only the netfilter modules. -
Run
make modules_install
to install all built modules. Alternatively, manually load the xt_FULLCONENAT module byinsmod net/netfilter/xt_FULLCONENAT.ko
.
IPtables extension
-
Copy libipt_FULLCONENAT.c and libipt_FULLCONENAT.t to
iptables-source/extensions
. -
Under the iptables source directory,
./configure
(use--prefix
to replace your currentiptables
by looking atwhich iptables
),make
andmake install
Usage
Assuming eth0 is external interface:
Basic Usage:
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
Random port range:
iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT
Hairpin NAT (Assuming eth1 is LAN interface and IP range for LAN is 192.168.100.0/24):
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth1 -j FULLCONENAT