diff options
author | Chion Tang <sdspeedonion@gmail.com> | 2018-01-20 12:37:58 +0000 |
---|---|---|
committer | Chion Tang <sdspeedonion@gmail.com> | 2018-01-20 12:37:58 +0000 |
commit | 671a13cff819273afe67d070917133d8c6ee776a (patch) | |
tree | 8cb5493e7e75faacad94d767ab8b912bed22a1f5 | |
parent | fix new mapping init (diff) | |
download | netfilter-full-cone-nat-671a13cff819273afe67d070917133d8c6ee776a.tar.gz netfilter-full-cone-nat-671a13cff819273afe67d070917133d8c6ee776a.tar.bz2 netfilter-full-cone-nat-671a13cff819273afe67d070917133d8c6ee776a.zip |
Add build guide
-rw-r--r-- | README.md | 86 | ||||
-rw-r--r-- | libipt_FULLCONENAT.t | 9 |
2 files changed, 95 insertions, 0 deletions
@@ -2,6 +2,92 @@ Implementation of full cone SNAT. Currently only UDP is supported and actions for other protos are like MASQUERADE. Assume eth0 is external interface: +``` +iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE +iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT +``` + +Build +====== +Prerequisites: +* kernel source +* iptables source (git://git.netfilter.org/iptables.git) + +Kernel Module +------------- +1. Copy xt_FULLCONENAT.c to `kernel-source/net/netfilter/xt_FULLCONENAT.c` +2. Append following line to `kernel-source/net/netfilter/Makefile`: + +``` +obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o +``` + +3. Insert following section to `kernel-source/net/ipv4/netfilter/Kconfig` right after `config IP_NF_TARGET_NETMAP` section: + +``` +config IP_NF_TARGET_FULLCONENAT + tristate "FULLCONENAT target support" + depends on NETFILTER_ADVANCED + select NETFILTER_XT_TARGET_FULLCONENAT + ---help--- + This is a backwards-compat option for the user's convenience + (e.g. when running oldconfig). It selects + CONFIG_NETFILTER_XT_TARGET_FULLCONENAT. + +``` + +4. Insert following section to `kernel-source/net/netfilter/Kconfig` right after `config NETFILTER_XT_TARGET_NETMAP` section: + +``` +config NETFILTER_XT_TARGET_FULLCONENAT + tristate '"FULLCONENAT" target support' + depends on NF_NAT + ---help--- + Full Cone NAT + + To compile it as a module, choose M here. If unsure, say N. + +``` + +5. `cd` into the kernel source directory and prepare a working kernel config. This can be done by exporting from your current system: + +``` +zcat /proc/config.gz > .config +``` +6. Run `make menuconfig` and select: + Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> <M> FULLCONENAT target support + +7. Prepare for building: `make prepare` + +8. Run `make` to build the kernel source. Alternatively, run `make modules SUBDIRS=net/netfilter` to build only the netfilter modules. + +9. Run `make modules_install` to install all built modules. Alternatively, manually load the xt_FULLCONENAT module by `insmod net/netfilter/xt_FULLCONENAT.ko`. + +IPtables extension +------------------ + +1. Copy libipt_FULLCONENAT.c and libipt_FULLCONENAT.t to `iptables-source/extensions`. + +2. Under the iptables source directory, `./configure`, `make` and `make install` + +Usage +===== + +Assume eth0 is external interface: + +Basic Usage: + +``` iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT +``` + +Random port range: + +``` +iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE +iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully + +iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT +``` diff --git a/libipt_FULLCONENAT.t b/libipt_FULLCONENAT.t new file mode 100644 index 0000000..7bfccde --- /dev/null +++ b/libipt_FULLCONENAT.t @@ -0,0 +1,9 @@ +:POSTROUTING +*nat +-j FULLCONENAT;=;OK +-j FULLCONENAT --random;=;OK +-j FULLCONENAT --random-fully;=;OK +-p tcp -j FULLCONENAT --to-ports 1024;=;OK +-p udp -j FULLCONENAT --to-ports 1024-65535;=;OK +-p udp -j FULLCONENAT --to-ports 1024-65536;;FAIL +-p udp -j FULLCONENAT --to-ports -1;;FAIL |