IPv6 npt nftables: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (5 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
| + | # NPT-Tabelle erstellen | ||
*sudo nft add table inet nat6 | *sudo nft add table inet nat6 | ||
| + | |||
| + | # NPT-Chain erstellen | ||
*sudo nft add chain inet nat6 npt_chain { type nat hook postrouting priority 0 \; } | *sudo nft add chain inet nat6 npt_chain { type nat hook postrouting priority 0 \; } | ||
| − | *sudo nft add rule inet nat6 npt_chain ip6 saddr | + | |
| + | # NPT-Regel hinzufügen | ||
| + | *sudo nft add rule inet nat6 npt_chain ip6 saddr fd00:abcd::/64 oifname "eth0" counter masquerade | ||
| + | |||
| + | <pre> | ||
| + | #!/usr/sbin/nft -f | ||
| + | |||
| + | define int_ula_sub = fd00:1:2:3::/64 | ||
| + | define ext_gua_sub = 2a02:24d8:71:2444::/64 | ||
| + | |||
| + | flush ruleset | ||
| + | |||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; | ||
| + | } | ||
| + | chain forward { | ||
| + | type filter hook forward priority filter; | ||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; | ||
| + | } | ||
| + | } | ||
| + | |||
| + | table inet nat { | ||
| + | chain postrouting { | ||
| + | type nat hook postrouting priority 100; | ||
| + | snat ip6 prefix to ip6 saddr map { $int_ula_sub : $ext_gua_sub } | ||
| + | } | ||
| + | chain preouting { | ||
| + | type nat hook prerouting priority 100; | ||
| + | dnat ip6 prefix to ip6 daddr map { $ext_gua_sub : $int_ula_sub } | ||
| + | } | ||
| + | } | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | <pre> | ||
| + | table inet nat { | ||
| + | chain postrouting { | ||
| + | type nat hook postrouting priority 100; | ||
| + | ip6 saddr $int_ula_sub oif "eth0" ip6 daddr $ext_gua_sub return | ||
| + | } | ||
| + | chain prerouting { | ||
| + | type nat hook prerouting priority 100; | ||
| + | ip6 daddr $ext_gua_sub iif "eth0" ip6 saddr $int_ula_sub return | ||
| + | } | ||
| + | } | ||
| + | </pre> | ||
| + | |||
| + | *https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3 | ||
Aktuelle Version vom 29. Januar 2024, 18:22 Uhr
- NPT-Tabelle erstellen
- sudo nft add table inet nat6
- NPT-Chain erstellen
- sudo nft add chain inet nat6 npt_chain { type nat hook postrouting priority 0 \; }
- NPT-Regel hinzufügen
- sudo nft add rule inet nat6 npt_chain ip6 saddr fd00:abcd::/64 oifname "eth0" counter masquerade
#!/usr/sbin/nft -f
define int_ula_sub = fd00:1:2:3::/64
define ext_gua_sub = 2a02:24d8:71:2444::/64
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority 100;
snat ip6 prefix to ip6 saddr map { $int_ula_sub : $ext_gua_sub }
}
chain preouting {
type nat hook prerouting priority 100;
dnat ip6 prefix to ip6 daddr map { $ext_gua_sub : $int_ula_sub }
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority 100;
ip6 saddr $int_ula_sub oif "eth0" ip6 daddr $ext_gua_sub return
}
chain prerouting {
type nat hook prerouting priority 100;
ip6 daddr $ext_gua_sub iif "eth0" ip6 saddr $int_ula_sub return
}
}