SNAT in IP6Tables
Solution 1
EDIT**: You need a 3.7+ kernel as that's when they released the NAT table for ipv6. Then you use iptables 1.4.17 and you can use the simple command of:
- ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ORIGINAL**:
Under the netfilter website you can find:
- all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)
From the ipv6 man page (http://linux.die.net/man/8/ip6tables)
- SNAT
- A virtual state, matching if the original source address differs from the reply destination.
- DNAT
- A virtual state, matching if the original destination differs from the reply source.
So it appears to be possible. But I have not found examples of its usage.
Solution 2
I have a nat table:
apoc ~ # ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
And can write SNAT rules:
apoc ~ # ip6tables -t nat -A POSTROUTING -o eth1 -j SNAT --to 2001:db8::1
apoc ~ # ip6tables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 SNAT all * eth1 ::/0 ::/0 to:2001:db8::1
This is on ArchLinux with kernel 3.10.7-1-ARCH; it is a fairly recent addition to the netfilter code.
I must reiterate Michael Hampton though:
Not to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.
Solution 3
There is no NAT with IPv6. One of the main points of IPv6 is to eliminate NAT. NAT was invented (primarily) as a way to stretch out the usable amount of IPv4 space. With IPv6, we're getting back to the original design of all end-points on the Internet being addressable from all other end-points.
Related videos on Youtube
Felipe
Updated on September 18, 2022Comments
-
Felipe over 1 year
I get
error 438
when trying to add an element into a variant array. Can you help me debugging, pls ? Thx
Public Function CouponList() As Double Dim nbCoupons_lg As Integer Dim counter_lg As Integer Dim coupons_var As Variant Dim coupon As Cls_Coupon nbCoupons_lg = Maturity_db * CouponPeriodicity_db If (Not nbCoupons_lg = 0) Then ReDim coupons_var(1 To nbCoupons_lg) As Variant For counter_lg = 1 To nbCoupons_lg Set coupon = New Cls_Coupon coupon.Period_lg = counter_lg coupon.Value_db = AnnualCouponRate_db * ParValue_db coupon.PresentValue_db = coupon.Value_db / (1 + AnnualDiscountRate_db) ^ (coupon.Period_lg / Maturity_db) coupons_var(counter_lg) = coupon Next counter_lg End If CouponList = coupons_var End Function
-
Michael Hampton over 11 yearsI don't know what man pages you're reading, but my
ip6tables
man page says nothing about SNAT or DNAT. As you're probably aware, there is no such thing in IPv6. -
Michael Hampton over 11 yearsNot to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.
-
BatchyX over 10 yearsNAT in IPv6 is evil. NAT support for IPv6 was only added in the Linux kernel because many idiots were implementing it and distributing crappy patches to do it. Sadly, Harald Welte's position about integrating IPv6 NAT in the kernel softened from "over my dead body" to "there are some legitimate cases"
-
Admin about 10 yearsNAT66 IS a necessary evil. When your ISP only assigns you a /64, and you don't want to break standard autoconfiguration tools, then you MUST use NAT66 to add more networks. QED.
-
Michael Hampton about 10 yearsWhen your ISP only assigns you a /64, you need to beat them over the head with RFC 6177.
-
Admin about 8 yearsI have a legitimate use for this too, which I don't see as evil, see github.com/rtkwlf/cookbook-simple-iptables/pull/79. I'm using Docker containers in Rackspace VMs. The VMs only have a single IPv6 public address, but multiple containers need to connect out to other services, external to their host VM, that are on IPv6. In this case I've given Docker a fake unused /64 network in my own real /48 allocation, from my ISP, and NAT gives the outgoing connection. I cannot, of course, accept incoming connections into the containers, but I don't need that. Apparently Rackspace are looking at
-
Flocke over 6 yearsA shot in the dark: Define your coupons_var like "Dim coupons_var (1 to nbCoupons_lg) As Variant" and remove that ReDim-Thing.
-
Vityata over 6 years@Flocke - it's too dark -
nbCoupons_lg
will not compile, because it is not defined. VBEditor likes to have values in theDim
, when arrays are declared. -
Vityata over 6 yearsCan you try
Set coupons_var(counter_lg) = coupon
? -
iDevlop over 6 yearson which line do you get the error ?
-
Felipe over 6 yearsThis line: "coupons_var(counter_lg) = coupon" . Fixed by adding "Set"
-
door_number_three almost 6 years@michaelhampton You are no doubt much better at arguing with ISPs over the RFC than I am, but I think the average network admin has to play the hand they're dealt. If for any reason, whether dealing with your ISP or your internal network, you need more addresses than you are given, do you not then need NAT?
-
-
Michael Hampton over 11 yearsThat page is out of date. No such tables or targets exist in
ip6tables
. -
Peter DiMarco over 11 yearsI have seen them on my system's man page for version 1.4.12 that came with Ubuntu 12.04. Here is a link to the man page for that version: fredprod.com/cgi-bin/man/man2html?8+ip6tables It is listed on the website as having the capabilities. And here is the original posting from the netfilter developer mailing list: 68.183.106.108/lists/netfilter-devel/msg19979.html So I'm at a loss of why you think it's not there. I don't have experience with virtual states, but they're listed there.
-
Michael Hampton over 11 yearsThe actual man page from the upstream git repository contains no such code, and from what I can tell, never did. My guess is you are seeing an Ubuntu-specific patch in userspace (maybe Debian?). As for the kernel patch, I would expect that to have been rejected out of hand. Indeed, that patch does not seem to be in current kernels. In short, it's not there because it's not there, and somebody added it to your specific system without putting enough thought into it.
-
Nick495 over 11 yearsSo I just pulled the latest code from the git repository. And from it I can find the following files: iptables/extensions/libip6t_SNAT.c iptables/extensions/libip6t_DNAT.c
-
Michael Hampton about 10 yearsYes, I see it in the tree now. No idea why I couldn't see it before. Maybe I was looking at the wrong branch or something.