SNAT in IP6Tables

Question

Netfilter says they have support for SNAT and DNAT for ipv6. I look under the man pages of ip6tables and see that there is SNAT and DNAT listed. So my question is how do you make rules for them? I tried using the same structure of the rules for iptables, but ip6tables does not have a nat table and SNAT/DNAT are virtual states. So I don't know what modifications to make from an example like:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to 1.2.3.4

to be applicable to ip6tables. Thanks for the help!

I don't know what man pages you're reading, but my `ip6tables` man page says nothing about SNAT or DNAT. As you're probably aware, there is no such thing in IPv6. — Michael Hampton, Jan 17 '13 at 22:02
Not to mention, if you're even _thinking_ about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design. — Michael Hampton, Jan 18 '13 at 04:30
NAT in IPv6 is evil. NAT support for IPv6 was only added in the Linux kernel because many idiots were implementing it and distributing crappy patches to do it. Sadly, Harald Welte's position about integrating IPv6 NAT in the kernel softened from "over my dead body" to "there are some legitimate cases" — BatchyX, Aug 30 '13 at 11:08
NAT66 *IS* a necessary evil. When your ISP only assigns you a /64, and you don't want to break standard autoconfiguration tools, then you MUST use NAT66 to add more networks. QED. — , Feb 23 '14 at 13:58
When your ISP only assigns you a /64, you need to beat them over the head with RFC 6177. — Michael Hampton, Feb 23 '14 at 14:04
I have a legitimate use for this too, which I don't see as evil, see https://github.com/rtkwlf/cookbook-simple-iptables/pull/79. I'm using Docker containers in Rackspace VMs. The VMs only have a single IPv6 public address, but multiple containers need to connect out to other services, external to their host VM, that are on IPv6. In this case I've given Docker a fake unused /64 network in my own real /48 allocation, from my ISP, and NAT gives the outgoing connection. I cannot, of course, accept incoming connections into the containers, but I don't need that. Apparently Rackspace are looking at — , Feb 08 '16 at 01:12
@michaelhampton You are no doubt much better at arguing with ISPs over the RFC than I am, but I think the average network admin has to play the hand they're dealt. If _for any reason_, whether dealing with your ISP or your internal network, you need more addresses than you are given, do you not then need NAT? — door_number_three, Jun 08 '18 at 22:38

Peter DiMarco · Answer 1 · 2013-01-19T16:56:12.770

5

EDIT**: You need a 3.7+ kernel as that's when they released the NAT table for ipv6. Then you use iptables 1.4.17 and you can use the simple command of:

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ORIGINAL**:

Under the netfilter website you can find:

all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)

From the ipv6 man page (http://linux.die.net/man/8/ip6tables)

SNAT
A virtual state, matching if the original source address differs from the reply destination.
DNAT
A virtual state, matching if the original destination differs from the reply source.

So it appears to be possible. But I have not found examples of its usage.

edited Jan 19 '13 at 16:56

answered Jan 18 '13 at 01:49

Peter DiMarco

51
2

2

That page is out of date. No such tables or targets exist in `ip6tables`. – Michael Hampton Jan 18 '13 at 01:53
1

I have seen them on my system's man page for version 1.4.12 that came with Ubuntu 12.04. Here is a link to the man page for that version: http://www.fredprod.com/cgi-bin/man/man2html?8+ip6tables It is listed on the website as having the capabilities. And here is the original posting from the netfilter developer mailing list: http://68.183.106.108/lists/netfilter-devel/msg19979.html So I'm at a loss of why you think it's not there. I don't have experience with virtual states, but they're listed there. – Peter DiMarco Jan 18 '13 at 03:03
The _actual_ man page from the upstream git repository contains no such code, and from what I can tell, never did. My guess is you are seeing an Ubuntu-specific patch in userspace (maybe Debian?). As for the kernel patch, I would expect that to have been rejected out of hand. Indeed, that patch does not seem to be in current kernels. In short, it's not there because it's not there, and somebody added it to your specific system without putting enough thought into it. – Michael Hampton Jan 18 '13 at 04:19
2

So I just pulled the latest code from the git repository. And from it I can find the following files: iptables/extensions/libip6t_SNAT.c iptables/extensions/libip6t_DNAT.c – Peter DiMarco Jan 18 '13 at 16:50
Yes, I see it in the tree now. No idea why I couldn't see it before. Maybe I was looking at the wrong branch or something. – Michael Hampton Feb 23 '14 at 14:14

score 2 · Answer 2 · answered Aug 30 '13 at 11:50

I have a nat table:

apoc ~ # ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

And can write SNAT rules:

apoc ~ # ip6tables -t nat -A POSTROUTING -o eth1 -j SNAT --to 2001:db8::1
apoc ~ # ip6tables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all      *      eth1    ::/0                 ::/0                 to:2001:db8::1

This is on ArchLinux with kernel 3.10.7-1-ARCH; it is a fairly recent addition to the netfilter code.

I must reiterate Michael Hampton though:

Not to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.

score 1 · Answer 3 · answered Aug 30 '13 at 10:58

There is no NAT with IPv6. One of the main points of IPv6 is to eliminate NAT. NAT was invented (primarily) as a way to stretch out the usable amount of IPv4 space. With IPv6, we're getting back to the original design of all end-points on the Internet being addressable from all other end-points.

SNAT in IP6Tables

3 Answers3

Linked