SNAT in IP6Tables

linux iptables ipv6

1,272

Solution 1

EDIT**: You need a 3.7+ kernel as that's when they released the NAT table for ipv6. Then you use iptables 1.4.17 and you can use the simple command of:

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ORIGINAL**:

Under the netfilter website you can find:

all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)

From the ipv6 man page (http://linux.die.net/man/8/ip6tables)

SNAT
A virtual state, matching if the original source address differs from the reply destination.
DNAT
A virtual state, matching if the original destination differs from the reply source.

So it appears to be possible. But I have not found examples of its usage.

Solution 2

I have a nat table:

apoc ~ # ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

And can write SNAT rules:

apoc ~ # ip6tables -t nat -A POSTROUTING -o eth1 -j SNAT --to 2001:db8::1
apoc ~ # ip6tables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all      *      eth1    ::/0                 ::/0                 to:2001:db8::1

This is on ArchLinux with kernel 3.10.7-1-ARCH; it is a fairly recent addition to the netfilter code.

I must reiterate Michael Hampton though:

Not to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.

Solution 3

There is no NAT with IPv6. One of the main points of IPv6 is to eliminate NAT. NAT was invented (primarily) as a way to stretch out the usable amount of IPv4 space. With IPv6, we're getting back to the original design of all end-points on the Internet being addressable from all other end-points.

1,272

Felipe

Updated on September 18, 2022

Comments

Felipe over 1 year
I get

error 438

when trying to add an element into a variant array. Can you help me debugging, pls ? Thx
```
Public Function CouponList() As Double

    Dim nbCoupons_lg As Integer
    Dim counter_lg As Integer
    Dim coupons_var As Variant
    Dim coupon As Cls_Coupon

    nbCoupons_lg = Maturity_db * CouponPeriodicity_db

    If (Not nbCoupons_lg = 0) Then

        ReDim coupons_var(1 To nbCoupons_lg) As Variant

        For counter_lg = 1 To nbCoupons_lg
            Set coupon = New Cls_Coupon

            coupon.Period_lg = counter_lg
            coupon.Value_db = AnnualCouponRate_db * ParValue_db
            coupon.PresentValue_db = coupon.Value_db / (1 + AnnualDiscountRate_db) ^ (coupon.Period_lg / Maturity_db)

            coupons_var(counter_lg) = coupon

        Next counter_lg
    End If

    CouponList = coupons_var

End Function
```
- Michael Hampton over 11 years
  
  I don't know what man pages you're reading, but my ip6tables man page says nothing about SNAT or DNAT. As you're probably aware, there is no such thing in IPv6.
- Michael Hampton over 11 years
  
  Not to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.
- BatchyX over 10 years
  
  NAT in IPv6 is evil. NAT support for IPv6 was only added in the Linux kernel because many idiots were implementing it and distributing crappy patches to do it. Sadly, Harald Welte's position about integrating IPv6 NAT in the kernel softened from "over my dead body" to "there are some legitimate cases"
- Admin about 10 years
  
  NAT66 IS a necessary evil. When your ISP only assigns you a /64, and you don't want to break standard autoconfiguration tools, then you MUST use NAT66 to add more networks. QED.
- Michael Hampton about 10 years
  
  When your ISP only assigns you a /64, you need to beat them over the head with RFC 6177.
- Admin about 8 years
  
  I have a legitimate use for this too, which I don't see as evil, see github.com/rtkwlf/cookbook-simple-iptables/pull/79. I'm using Docker containers in Rackspace VMs. The VMs only have a single IPv6 public address, but multiple containers need to connect out to other services, external to their host VM, that are on IPv6. In this case I've given Docker a fake unused /64 network in my own real /48 allocation, from my ISP, and NAT gives the outgoing connection. I cannot, of course, accept incoming connections into the containers, but I don't need that. Apparently Rackspace are looking at
- Flocke over 6 years
  
  A shot in the dark: Define your coupons_var like "Dim coupons_var (1 to nbCoupons_lg) As Variant" and remove that ReDim-Thing.
- Vityata over 6 years
  
  @Flocke - it's too dark - nbCoupons_lg will not compile, because it is not defined. VBEditor likes to have values in the Dim, when arrays are declared.
- Vityata over 6 years
  
  Can you try Set coupons_var(counter_lg) = coupon?
- iDevlop over 6 years
  
  on which line do you get the error ?
- Felipe over 6 years
  
  This line: "coupons_var(counter_lg) = coupon" . Fixed by adding "Set"
- door_number_three almost 6 years
  
  @michaelhampton You are no doubt much better at arguing with ISPs over the RFC than I am, but I think the average network admin has to play the hand they're dealt. If for any reason, whether dealing with your ISP or your internal network, you need more addresses than you are given, do you not then need NAT?
Michael Hampton over 11 years

That page is out of date. No such tables or targets exist in ip6tables.
Peter DiMarco over 11 years

I have seen them on my system's man page for version 1.4.12 that came with Ubuntu 12.04. Here is a link to the man page for that version: fredprod.com/cgi-bin/man/man2html?8+ip6tables It is listed on the website as having the capabilities. And here is the original posting from the netfilter developer mailing list: 68.183.106.108/lists/netfilter-devel/msg19979.html So I'm at a loss of why you think it's not there. I don't have experience with virtual states, but they're listed there.
Michael Hampton over 11 years

The actual man page from the upstream git repository contains no such code, and from what I can tell, never did. My guess is you are seeing an Ubuntu-specific patch in userspace (maybe Debian?). As for the kernel patch, I would expect that to have been rejected out of hand. Indeed, that patch does not seem to be in current kernels. In short, it's not there because it's not there, and somebody added it to your specific system without putting enough thought into it.
Nick495 over 11 years

So I just pulled the latest code from the git repository. And from it I can find the following files: iptables/extensions/libip6t_SNAT.c iptables/extensions/libip6t_DNAT.c
Michael Hampton about 10 years

Yes, I see it in the tree now. No idea why I couldn't see it before. Maybe I was looking at the wrong branch or something.