[Jool-list] Question about 'more' netfilter/iptables stuff

Andreas Schulz (Fujitsu) andreas.schulz at fujitsu.com
Mon Apr 29 02:30:35 CST 2024 

Hi folks,

I have a 'problem', maybe someone can help me with this issue. This is a network overview:

Customer A
                           NAT/Joolserver A1
                       +---------------------+
                       |                     |
                       |     SIIT EAMT       |
A IPv4Host +----------->                     +
                       |  Translate IPv4/IPv6|\                     Shared Service for all customers
  10.10.10.1           |  do some add. NAT   | \                           NAT/Joolserver S1
                       |                     |  \                      +----------------------+
                       +---------------------+   \                     |                      |
                                                  \    IPv6 network    |    SIIT EAMT         |
-----------------------------------------------    +--------------->--->                      +-----------> B IPv4Host
                                                   +------------------->  Translate IPv4/IPv6 |
Customer B                                        /                    |  do some add NAT     |             10.1.1.1
                           NAT/Joolserver B1     /                     |                      |
                       +---------------------+  /                      +----------------------+
                       |                     | /
                       |     SIIT EAMT       |/
A IPv4Host +----------->                     +
                       |  Translate IPv4/IPv6|
  10.10.10.1           |  do some add. NAT   |
                       |                     |
                       +---------------------+

- several customers - maybe with the same rfc1918 networks
- all customers try to access a service in the shared service network with ip address 10.1.1.1
- every customer defines a network that we can use for nat the 10.1.1.1 service eg. customer a is using 10.10.11.1 for 10.1.1.1,
  customer b is using 10.20.5.1 for 10.1.1.1
- every customer gets a nat network for their source address in the shared service network eg. customer a is natted behind 10.10.20.X

We try to achieve the following:
1 customer a starts to access 10.10.11.1 (original 10.1.1.1)
2 Joolserver A1 is doing DNAT from 10.10.11.1 to 10.1.1.1
3 Joolserver A1 is doing translation IPv4/IPv6 (this already works right now)
4 Joolserver S1 is doing translation 'back' IPv6/IPv4
5 Joolserver A1 is doing SNAT from 10.10.10.1 to 10.10.20.1

3 & 4 are working fine - I used the thread https://mail-lists.nic.mx/pipermail/jool-list/2022-April/000473.html - without any NAT

Because Jool is using the table mangle I wasn't able to do iplement some more NAT rules because the packets never reached the nat table.
I would assume this is because the mangle rules already matched. But I have no idea how I have to configure it that I can apply additional NAT rules.

I know that jool is doing the job for what it was designed to do. But maybe someone has a hint how this can be solved on Joolserver A1 and S1?

Kind regards
Andreas Schulz

P.S. thanks for your work on Jool!

More information about the Jool-list mailing list