[Jool-list] Question about 'more' netfilter/iptables stuff
Andreas Schulz (Fujitsu)
andreas.schulz at fujitsu.com
Mon Apr 29 02:30:35 CST 2024
Hi folks,
I have a 'problem', maybe someone can help me with this issue. This is a network overview:
Customer A
NAT/Joolserver A1
+---------------------+
| |
| SIIT EAMT |
A IPv4Host +-----------> +
| Translate IPv4/IPv6|\ Shared Service for all customers
10.10.10.1 | do some add. NAT | \ NAT/Joolserver S1
| | \ +----------------------+
+---------------------+ \ | |
\ IPv6 network | SIIT EAMT |
----------------------------------------------- +--------------->---> +-----------> B IPv4Host
+-------------------> Translate IPv4/IPv6 |
Customer B / | do some add NAT | 10.1.1.1
NAT/Joolserver B1 / | |
+---------------------+ / +----------------------+
| | /
| SIIT EAMT |/
A IPv4Host +-----------> +
| Translate IPv4/IPv6|
10.10.10.1 | do some add. NAT |
| |
+---------------------+
- several customers - maybe with the same rfc1918 networks
- all customers try to access a service in the shared service network with ip address 10.1.1.1
- every customer defines a network that we can use for nat the 10.1.1.1 service eg. customer a is using 10.10.11.1 for 10.1.1.1,
customer b is using 10.20.5.1 for 10.1.1.1
- every customer gets a nat network for their source address in the shared service network eg. customer a is natted behind 10.10.20.X
We try to achieve the following:
1 customer a starts to access 10.10.11.1 (original 10.1.1.1)
2 Joolserver A1 is doing DNAT from 10.10.11.1 to 10.1.1.1
3 Joolserver A1 is doing translation IPv4/IPv6 (this already works right now)
4 Joolserver S1 is doing translation 'back' IPv6/IPv4
5 Joolserver A1 is doing SNAT from 10.10.10.1 to 10.10.20.1
3 & 4 are working fine - I used the thread https://mail-lists.nic.mx/pipermail/jool-list/2022-April/000473.html - without any NAT
Because Jool is using the table mangle I wasn't able to do iplement some more NAT rules because the packets never reached the nat table.
I would assume this is because the mangle rules already matched. But I have no idea how I have to configure it that I can apply additional NAT rules.
I know that jool is doing the job for what it was designed to do. But maybe someone has a hint how this can be solved on Joolserver A1 and S1?
Kind regards
Andreas Schulz
P.S. thanks for your work on Jool!
More information about the Jool-list
mailing list