[Jool-list] Question about 'more' netfilter/iptables stuff
Andreas Schulz (Fujitsu)
andreas.schulz at fujitsu.com
Fri May 3 06:29:02 CST 2024
Hi Sander,
thanks for your answer - quite an interesting idea :-). Just two questions:
1. I forgot to mention that the direction S1 -> A1 or B1 is also required. Means that a service in shared environment has to access a client in customer-a-network (there will be defined ipv4 nat-network for every customer).
2. I tried some configurations but it seems that I have not enough knowledge/understanding how to configure your proposal. May I ask you to show me the jool-commands for a1 and s1? network A can have 10.10.20.X as source network in S1
Thanks a lot and have a nice weekend!
regards,
Andreas
-----Original Message-----
From: Sander Steffann <sander at steffann.nl>
Sent: Wednesday, May 1, 2024 12:29 PM
To: Schulz, Andreas <andreas.schulz at fujitsu.com>
Cc: jool-list at nic.mx
Subject: Re: [Jool-list] Question about 'more' netfilter/iptables stuff
Hi!
If I understand your use case correctly then I think you can do this with stateful NAT64 on S1, and stateless SIIT on A1 and B1.
Let’s start with S1. It can represent any IPv4 address on the right side of your diagram with an IPv6 address. Let’s say that your NAT64 prefix is 2001:db8:0:64::/96. That would make the address of 10.1.1.1: 2001:db8:0:64::0a01:0101.
On A1 and B1 you make a mapping so that packets sent to the destination address that was chosen on that side. So customer A would map 10.10.11.1 to 2001:db8:0:64::0a01:0101 and customer B would map 10.20.5.1 to 2001:db8:0:64::0a01:0101. That will take care of handling the destination addresses for customers sending traffic to the shared service:
Customer A: 10.10.11.1 -> 2001:db8:0:64::0a01:0101 -> 10.1.1.1
Customer B: 10.20.5.1 -> 2001:db8:0:64::0a01:0101 -> 10.1.1.1
Now for the source addresses of these packets. Customer A and B need different IPv6 prefixes for their sites. Let’s say that customer A has 2001:db8:a:64::/96 designated as their source addresses, and customer B has 2001:db8:b:64::/96.
The full flow would then look like:
Customer A:
- Packet src 10.10.10.1 to dst 10.10.11.1
Becomes at A1 (stateless SIIT):
- Packet src 2001:db8:a:64::0a0a:0a01 (using SIIT prefix mapping) to dst 2001:db8:0:64::0a01:0101 (using SIIT-DC mapping)
Becomes at S1 (stateful NAT64)
- Packet src x.x.x.x (whatever S1’s IPv4 address is) to dst 10.1.1.1 (using NAT64 mapping)
And the reply fill be:
- Packet src 10.1.1.1 to dst x.x.x.x
Becomes at S1 (stateful NAT64)
- Packet src 2001:db8:0:64::0a01:0101 (using NAT64 mapping) to dst 2001:db8:a:64::0a0a:0a01 (using NAT64 state)
Becomes at A1 (stateless SIIT)
- Packet src 10.10.11.1 (using SIIT-DC mapping) to dst 10.10.10.1 (using SIIT prefix mapping)
And similar for customer B.
Cheers,
Sander
> On 29 Apr 2024, at 10:30, Andreas Schulz (Fujitsu) via Jool-list <jool-list at nic.mx> wrote:
>
> Hi folks,
>
> I have a 'problem', maybe someone can help me with this issue. This is a network overview:
>
> Customer A
> NAT/Joolserver A1
> +---------------------+
> | |
> | SIIT EAMT |
> A IPv4Host +-----------> +
> | Translate IPv4/IPv6|\ Shared Service for all customers
> 10.10.10.1 | do some add. NAT | \ NAT/Joolserver S1
> | | \ +----------------------+
> +---------------------+ \ | |
> \ IPv6 network | SIIT EAMT |
> ----------------------------------------------- +--------------->---> +-----------> B IPv4Host
> +-------------------> Translate IPv4/IPv6 |
> Customer B / | do some add NAT | 10.1.1.1
> NAT/Joolserver B1 / | |
> +---------------------+ / +----------------------+
> | | /
> | SIIT EAMT |/
> A IPv4Host +-----------> +
> | Translate IPv4/IPv6|
> 10.10.10.1 | do some add. NAT |
> | |
> +---------------------+
>
> - several customers - maybe with the same rfc1918 networks
> - all customers try to access a service in the shared service network with ip address 10.1.1.1
> - every customer defines a network that we can use for nat the 10.1.1.1 service eg. customer a is using 10.10.11.1 for 10.1.1.1,
> customer b is using 10.20.5.1 for 10.1.1.1
> - every customer gets a nat network for their source address in the shared service network eg. customer a is natted behind 10.10.20.X
>
> We try to achieve the following:
> 1 customer a starts to access 10.10.11.1 (original 10.1.1.1)
> 2 Joolserver A1 is doing DNAT from 10.10.11.1 to 10.1.1.1
> 3 Joolserver A1 is doing translation IPv4/IPv6 (this already works right now)
> 4 Joolserver S1 is doing translation 'back' IPv6/IPv4
> 5 Joolserver A1 is doing SNAT from 10.10.10.1 to 10.10.20.1
>
> 3 & 4 are working fine - I used the thread https://mail-lists.nic.mx/pipermail/jool-list/2022-April/000473.html - without any NAT
>
> Because Jool is using the table mangle I wasn't able to do iplement some more NAT rules because the packets never reached the nat table.
> I would assume this is because the mangle rules already matched. But I have no idea how I have to configure it that I can apply additional NAT rules.
>
> I know that jool is doing the job for what it was designed to do. But maybe someone has a hint how this can be solved on Joolserver A1 and S1?
>
> Kind regards
> Andreas Schulz
>
> P.S. thanks for your work on Jool!
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list
>
More information about the Jool-list
mailing list