0

I have some home servers in my lan, connecting to internet by an adsl My router is a linux-based x86 server, and I wrote script on it I updated the script to nftables some months ago...

It worked all right in ipv4....

One day, I found my isp provides ipv6 by dhcp-pd As the ipv6 address may change, It will be hard to set static global ipv6 addresses on servers. Then I'm considering about using unique local addresses. I'll need something like: ip6tables -t nat -A POSTROUTING -o eth0 -s fc00::/64 -j NETMAP --to 2006::/64 to nat the addresses to global addresses (and with proper dnat rules) But I can not find anything like that in nftables...

I've checked the offical wiki: nft_nat

But I can not understand how to use nft_nat.

If it's a /24 block in ipv4, it is even possible to enum all addresses into a map. But it is really impossible to enum a /64 block in ipv6...

So is there any way to do netmap by nftables? Or I have to revert to ip(6)tables? Or any other suggestion?

Thank you.

maybeonly
  • 49
  • 4
  • First, you should understand ULA, and why you are not allowed to use the `fc00::/64` network. You can use something in the `fd00::/8` range, but the next 40 bits must be randomly chosen. It is explained in _[RFC 4193, Unique Local IPv6 Unicast Addresses](https://tools.ietf.org/html/rfc4193)_. Next, the IPv6 RFC for NAT is not on the STANDARDS track, it is on the EXPERIMENTAL track. See _[RFC 6296, IPv6-to-IPv6 Network Prefix Translation](https://tools.ietf.org/html/rfc6296)_. The RFC discusses the problems inherent in using NAT and IPv6. – Ron Maupin Dec 08 '18 at 15:42
  • In any case, this is not a programming question, so it is off-topic here. Also, remember that your residential terms of service forbid you running services to the Internet, so you will be violating the ToS, and your ISP may shut you down for it. – Ron Maupin Dec 08 '18 at 15:44
  • 1
    And you don't need to NAT. Use global addresses outside, and local addresses inside. – Michael Hampton Dec 08 '18 at 19:04
  • I'm not really using fc00::/64, in my current config, I'm using fd9e:xxxx:(from a random seed). fc00:: is a bad example. And, I've checked npt6, and there's an extensioin for ip6tables, but no solution in nftables. I thought stackoverflow is a tech site rather than programming. I'm sorry for any ambiguity. – maybeonly Dec 09 '18 at 00:38

1 Answers1

0

For those like me looking for up-to-date answer, the stateful network prefix translation aka NPT/NPTv6/NAT66 can be done with nftables. There is a regular use case for this – RFC 7157, IPv6 Multihoming without Network Address Translation.

Just place the following rule in the nat postrouting hook (use your prefix size):

ip6 saddr <local-prefix>::/64 snat ip6 prefix to <public-prefix>::/64

You can prefix the rule with oifname "<outgoing-interface>" to match only packets going out from a particular interface.

oldium
  • 41
  • 4