On 4/1/19 10:40, 马树超 wrote:
Hi, all
Recently,I worked on the "IPv6 NAT gateway" based on ip6tables+netfilter.
Question Description:
- Host A:a machine with an ipv6-A address(could be reached world-globally)
- Host B: a machine with an ipv6-B address(could not be reached outside)
-
AIM:
- I want let Host-B reach outsite-Internet by Host-A ( IPv6-NAT )
Question:
- I create a ipv6-vxlan tunnel between Host-A and Host-B.
- And set "forwarding = 1" on A&B
- and set ip6tables rule like this:
- ip6tables -t nat -A POSTROUTING -p tcp -s
2400:da00:e006:5e01::/64 -o xgbe1 -j MASQUERADE
- But:
- I can find packets on vxlan device on Host-A.(by "tcpdump -i
$vxlan_device_name )
- but, these packtets Just are lost, and not NATed , and not
routed to POSTROUTING
- "ip6tables -t nat -nvL" show that there are nothing pkts passed.
what can do for this? I don't kown how to solve it or analyze it.
---
shuchao.max
In principle what you are doing sounds like it should be doing what
you're asking, though the "-p tcp" in the MASQUERADE rule should be
omitted unless you want to NAT only TCP packets and not UDP or other
protocols (and then the other protocols would go out with their original
addresses). Does IPv6 connectivity work from Host-A to begin with? Can
Host-A reach Host-B via IPv6?
You should also note that your entire premise is a common configuration
mistake and you should make sure this is actually what you want. NAT
like this is typically not necessary with IPv6 and is only used with
IPv4 because there are not enough public IPv4 addresses. It is not
unusual to desire a firewall and conflate NAT with that, but it is
possible to configure an IPv6 firewall without NAT, by omitting the NAT
rule entirely and doing something like this:
ip6tables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A FORWARD -i $vxlan_device_name -j ACCEPT
ip6tables -A FORWARD -j REJECT
Note that if you want an IPv6 firewall you would have these rules even
with NAT.
