[Jool-list] NAT44 for pool4 addresses possible?

Alberto Leiva ydahhrk at gmail.com
Tue May 22 15:23:32 CDT 2018 

How about

ip6tables -t mangle -A PREROUTING --destination 64:ff9b::192.0.2.0/120
-j MARK --set-mark 1
ip6tables -t mangle -A PREROUTING --destination
64:ff9b::203.0.113.0/120 -j MARK --set-mark 2

On Tue, May 22, 2018 at 2:14 PM, Martin Weinelt
<martin at darmstadt.freifunk.net> wrote:
> Hello Alberto,
>
> thanks for your answers so far.
>
> I've looked into the sockmark approach and that does not work, because
> what I need is an approach that works based on the IPv4 destination
> address, not the IPv6 source address.
>
> The netns approach looks a bit more involved, I still have to look into
> that.
>
>
> Best regards,
>
> Martin
>
>
>
> On 05/22/2018 02:29 AM, Alberto Leiva wrote:
>> Still haven't found the problem. It does seem to be the case that Jool
>> packets traverse through the postrouting mangle table, but not the nat
>> one. It's pretty odd.
>>
>> In any case, trying to replicate your problem I noticed that one of
>> Jool's features could simplify the solution, without using special
>> namespaces.
>>
>> Basically, you can tell Jool "mask these packets with these addresses,
>> mask these other packets with these other addresses." The masking
>> decision is based on the packet mark, which you can customize using
>> standard iptables rules:
>>
>>     # During IPv6 prerouting, set mark 1 for packets that should be masked
>>     # with the public address.
>>     # (In this example, packets from the 2001:db8:1::/64 network should be
>>     # masked with the public address, but you can use other ip6tables
>>     # matches.)
>>     ip6tables -t mangle -A PREROUTING --source 2001:db8:1::/64 -j MARK
>> --set-mark 1
>>
>>     # During IPv6 prerouting, set mark 2 for packets that should be masked
>>     # with the private address.
>>     ip6tables -t mangle -A PREROUTING --source 2001:db8:2::/64 -j MARK
>> --set-mark 2
>>
>>     # Tell Jool that packets marked 1 should be masked with your public
>>     # address.
>>     jool --pool4 --add 1.2.3.4 --mark 2
>>
>>     # Tell Jool that packets marked 2 should be masked with your private
>>     # address.
>>     jool --pool4 --add 192.168.0.1 --mark 1
>>
>> See the pool4 documentation for more: https://jool.mx/en/pool4.html
>>
>> On Mon, May 21, 2018 at 11:31 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>>> Oh, I forgot: Here's how to enclose Jool in a network namespace:
>>>
>>> https://jool.mx/en/usr-flags-instance.html
>>> https://jool.mx/en/node-based-translation.html
>>>
>>> Both documentation pieces intend to do something slightly different
>>> from what you're doing, but should be easy to adapt.
>>>
>>> On Mon, May 21, 2018 at 11:29 AM, Alberto Leiva <ydahhrk at gmail.com> wrote:
>>>>> IPv4 packets created by Jool do not seem to pass the
>>>>> nat postrouting chain in netfilter
>>>>
>>>> Hmm? This is odd. The kernel code says otherwise. Might be a bug; I'll
>>>> test it now.
>>>>
>>>> Anyway, this is how it's supposed to work:
>>>> https://jool.mx/en/intro-jool.html#design
>>>>
>>>> Check both diagrams. Assuming that Jool packets are really skipping
>>>> the postrouting chain, you could enclose it in a network namespace
>>>> (the red box) so you can use the outer namespace's (not red box)
>>>> postrouting chain. There is no way that one will be skipped if you do
>>>> that.
>>>>
>>>> On Sun, May 20, 2018 at 9:48 AM, Martin Weinelt
>>>> <martin at darmstadt.freifunk.net> wrote:
>>>>> Hi everyone,
>>>>>
>>>>> I'm currently building my first NAT64 setup and have stumbled upon a
>>>>> problem.
>>>>>
>>>>> When I use our public IPv4 address as pool4 I can access the internet
>>>>> just fine, except that I additionally need to be able to reach some
>>>>> private ipv4 addresses over site-to-site tunnels as well, where that
>>>>> source address doesn't work.
>>>>>
>>>>> This is why I though of using a bunch of private IPv4 addresses to map
>>>>> the NAT64 against, so they'll work for the s2s tunnel and where I can
>>>>> additionally make use of NAT44 towards the internet.
>>>>>
>>>>> The issue is that IPv4 packets created by Jool do not seem to pass the
>>>>> nat postrouting chain in netfilter, where masquerading would happen.
>>>>> Instead I now have private IPv4 address being used as saddr towards the
>>>>> internet, which cannot work either.
>>>>>
>>>>> I'd appreciate some help!
>>>>>
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Martin
>>>>> _______________________________________________
>>>>> Jool-list mailing list
>>>>> Jool-list at nic.mx
>>>>> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list