[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

NAT66 /NPT6



On Wed, Sep 22, 2021 at 05:17:25PM +0200, Markus G. wrote:

> ist es möglich via nftables nat66 / npt6 umzusetzen ?
> Wie setze ich das am besten mittels firewalld /firewall-cmd um ??
>
> Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein
> Server aus dem internen Netz mittels PA-IP angebunden werden.  Also
> öffentliche IP6 -> private IP6.

1. List language is English.

2. For the legacy ip6tables version the NETMAP target is what you want
   (see manpage for iptables-extensions).  For nftables the feature
   you're looking for was added rather recently, but the Bullseye
   version (0.9.8-*) should have it:
   https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3
   The commit message gives an example for the "ip" address family.
   The prefixes to be mapped need to be specified explicitly, so if
   your public prefix changes frequently you need to set up something
   to update the rule (ip6tables) or use a named map and update that
   (nftables).

3. I'm unfamiliar with firewalld and thus can't really help you much
   here, but you'll probably have to use the Direct Interface to add
   your desired rule.  Unfortunately, the documentation on it seems to
   not have been updated all too recently:
   https://firewalld.org/documentation/direct/

4. If it is only one server that is affected, can't you just map only
   a single address pair?  Might be easier.

Good luck


Reply to: