blob: 0920572496a093d14fdb0ceac8c46e0e79990ca3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
Implementation of RFC3489-compatible full cone SNAT.
Assuming eth0 is external interface:
```
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets
```
Currently only UDP traffic is supported for full-cone NAT. For other protos FULLCONENAT is equivalent to MASQUERADE.
Build
======
Prerequisites:
* kernel source
* iptables source ( git://git.netfilter.org/iptables.git )
Confirm the kernel configuration option `CONFIG_NF_CONNTRACK_EVENTS` is enabled. If this option is disabled on your system, enable it and rebuild your netfilter modules.
Kernel Module
-------------
```
$ make
# insmod xt_FULLCONENAT.ko
```
Iptables Extension
------------------
1. Copy libipt_FULLCONENAT.c to `iptables-source/extensions`.
2. Under the iptables source directory, `./configure`(use `--prefix` to replace your current `iptables` by looking at `which iptables`), `make` and `make install`
OpenWRT
-------
Package for openwrt is available at https://github.com/LGA1150/openwrt-fullconenat
Usage
=====
Assuming eth0 is external interface:
Basic Usage:
```
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
```
Random port range:
```
iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully
iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT
```
Hairpin NAT (Assuming eth1 is LAN interface and IP range for LAN is 192.168.100.0/24):
```
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth1 -j FULLCONENAT
```
kernel Patch (Optional.)
========================
1. Copy xt_FULLCONENAT.c to `kernel-source/net/netfilter/xt_FULLCONENAT.c`
2. Append following line to `kernel-source/net/netfilter/Makefile`:
```
obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o
```
3. Insert following section into `kernel-source/net/ipv4/netfilter/Kconfig` right after `config IP_NF_TARGET_NETMAP` section:
```
config IP_NF_TARGET_FULLCONENAT
tristate "FULLCONENAT target support"
depends on NETFILTER_ADVANCED
select NETFILTER_XT_TARGET_FULLCONENAT
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.
```
4. Insert following section into `kernel-source/net/netfilter/Kconfig` right after `config NETFILTER_XT_TARGET_NETMAP` section:
```
config NETFILTER_XT_TARGET_FULLCONENAT
tristate '"FULLCONENAT" target support'
depends on NF_NAT
---help---
Full Cone NAT
To compile it as a module, choose M here. If unsure, say N.
```
5. Run `make menuconfig` and select:
Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> \<M\> FULLCONENAT target support
License
=======
Copyright 2018 Chion Tang [betaidc](https://www.betaidc.com/contact.html)
GPL-2.0
See LICENSE
|
