• NAT66 /NPT6

    From Markus G.@21:1/5 to All on Wed Sep 22 17:30:02 2021
    Hallo,ist es möglich via nftables nat66 / npt6 umzusetzen ?Wie setze ich das am besten mittels firewalld /firewall-cmd um ??Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein Server aus dem internen Netz mittels PA-IP angebunden
    werden.Also öffentliche IP6 -> private IP6.LG ,Markus G.-------------------------------------------------------------------------------------------------FreeMail powered by mail.de - MEHR SICHERHEIT, SERIOSITÄT UND KOMFORT

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dennis Filder@21:1/5 to Markus G. on Wed Sep 22 19:10:02 2021
    On Wed, Sep 22, 2021 at 05:17:25PM +0200, Markus G. wrote:

    ist es mglich via nftables nat66 / npt6 umzusetzen ?
    Wie setze ich das am besten mittels firewalld /firewall-cmd um ??

    Hintergrund: im internen netzwerk gibt es ipv6 ULA, nun muss ein
    Server aus dem internen Netz mittels PA-IP angebunden werden. Also ffentliche IP6 -> private IP6.

    1. List language is English.

    2. For the legacy ip6tables version the NETMAP target is what you want
    (see manpage for iptables-extensions). For nftables the feature
    you're looking for was added rather recently, but the Bullseye
    version (0.9.8-*) should have it:
    https://git.netfilter.org/nftables/commit/?id=35a6b10c1bc488ca195e9c641563c29251f725f3
    The commit message gives an example for the "ip" address family.
    The prefixes to be mapped need to be specified explicitly, so if
    your public prefix changes frequently you need to set up something
    to update the rule (ip6tables) or use a named map and update that
    (nftables).

    3. I'm unfamiliar with firewalld and thus can't really help you much
    here, but you'll probably have to use the Direct Interface to add
    your desired rule. Unfortunately, the documentation on it seems to
    not have been updated all too recently:
    https://firewalld.org/documentation/direct/

    4. If it is only one server that is affected, can't you just map only
    a single address pair? Might be easier.

    Good luck

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Dennis Filder@21:1/5 to All on Wed Sep 22 20:20:02 2021
    To add one important detail: neither netmap feature performs the
    16-bit word adjustment described in RFC 6296 3.2-3.5. But
    apparently there are also a DNPT/SNPT targets for ip6tables (which I
    didn't know about) which should do exactly what you want.

    Regards

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)