Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
NAT66 /NPT6
52 views
Skip to first unread message
Markus G.
Sep 22, 2021, 11:30:02 AM9/22/21
to
Hallo,
ist es möglich via nftables nat66 / npt6 umzusetzen ?
Wie setze ich das am besten mittels firewalld /firewall-cmd um ??
Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein Server aus dem internen Netz mittels PA-IP angebunden werden.
Also öffentliche IP6 -> private IP6.
LG ,
Markus G.
-------------------------------------------------------------------------------------------------
FreeMail powered by mail.de - MEHR SICHERHEIT, SERIOSITÄT UND KOMFORT
Dennis Filder
Sep 22, 2021, 1:10:02 PM9/22/21
to
On Wed, Sep 22, 2021 at 05:17:25PM +0200, Markus G. wrote:
> ist es möglich via nftables nat66 / npt6 umzusetzen ?
> Wie setze ich das am besten mittels firewalld /firewall-cmd um ??
>
> Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein
> Server aus dem internen Netz mittels PA-IP angebunden werden. Also
> öffentliche IP6 -> private IP6.
1. List language is English.
> ist es möglich via nftables nat66 / npt6 umzusetzen ?
> Wie setze ich das am besten mittels firewalld /firewall-cmd um ??
>
> Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein
> Server aus dem internen Netz mittels PA-IP angebunden werden. Also
> öffentliche IP6 -> private IP6.
2. For the legacy ip6tables version the NETMAP target is what you want
(see manpage for iptables-extensions). For nftables the feature
you're looking for was added rather recently, but the Bullseye
version (0.9.8-*) should have it:
https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3
The commit message gives an example for the "ip" address family.
The prefixes to be mapped need to be specified explicitly, so if
your public prefix changes frequently you need to set up something
to update the rule (ip6tables) or use a named map and update that
(nftables).
3. I'm unfamiliar with firewalld and thus can't really help you much
here, but you'll probably have to use the Direct Interface to add
your desired rule. Unfortunately, the documentation on it seems to
not have been updated all too recently:
https://firewalld.org/documentation/direct/
4. If it is only one server that is affected, can't you just map only
a single address pair? Might be easier.
Good luck
Dennis Filder
Sep 22, 2021, 2:20:02 PM9/22/21
to
To add one important detail: neither netmap feature performs the
16-bit word adjustment described in RFC 6296 § 3.2-3.5. But
apparently there are also a DNPT/SNPT targets for ip6tables (which I
didn't know about) which should do exactly what you want.
Regards
16-bit word adjustment described in RFC 6296 § 3.2-3.5. But
apparently there are also a DNPT/SNPT targets for ip6tables (which I
didn't know about) which should do exactly what you want.
Regards
0 new messages