On Wed, Sep 22, 2021 at 05:17:25PM +0200, Markus G. wrote:
ist es möglich via nftables nat66 / npt6 umzusetzen ?
Wie setze ich das am besten mittels firewalld /firewall-cmd um ??
Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein
Server aus dem internen Netz mittels PA-IP angebunden werden. Also öffentliche IP6 -> private IP6.
1. List language is English.
2. For the legacy ip6tables version the NETMAP target is what you want
(see manpage for iptables-extensions). For nftables the feature
you're looking for was added rather recently, but the Bullseye
version (0.9.8-*) should have it:
https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3
The commit message gives an example for the "ip" address family.
The prefixes to be mapped need to be specified explicitly, so if
your public prefix changes frequently you need to set up something
to update the rule (ip6tables) or use a named map and update that
(nftables).
3. I'm unfamiliar with firewalld and thus can't really help you much
here, but you'll probably have to use the Direct Interface to add
your desired rule. Unfortunately, the documentation on it seems to
not have been updated all too recently:
https://firewalld.org/documentation/direct/
4. If it is only one server that is affected, can't you just map only
a single address pair? Might be easier.
Good luck
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)