[Jool-list] Question about 'more' netfilter/iptables stuff

Alberto Leiva ydahhrk at gmail.com
Mon May 6 17:22:33 CST 2024 

Sorry for taking so long.

> 1. I forgot to mention that the direction S1 -> A1 or B1 is also required. Means that a service in shared environment has to access a client in customer-a-network (there will be defined ipv4 nat-network for every customer).

Can you assign a different port for each customer? Would B understand
that? If so, port forwarding: https://nicmx.github.io/Jool/en/bib.html

> - every customer defines a network that we can use for nat the 10.1.1.1 service eg. customer a is using 10.10.11.1 for 10.1.1.1, customer b is using 10.20.5.1 for 10.1.1.1

Then what do you need the NATs for?

A1's EAMT should be (please read in monospace)

    10.10.10.1 | 2001:db8:AAAA::1    # A (Customer A)
    10.1.1.1   | 2001:db8:BBBB::1    # B
    10.20.5.1  | 2001:db8:AAAA::2    # A (Custormer B) (Optional)

B1's EAMT should be

    10.10.10.1 | 2001:db8:AAAA::2    # A (Customer B)
    10.1.1.1   | 2001:db8:BBBB::1    # B
    10.10.11.1 | 2001:db8:AAAA::1    # A (Customer A) (Optional)

S1's EAMT should be

    10.10.11.1 | 2001:db8:AAAA::1    # A (Customer A)
    10.20.5.1  | 2001:db8:AAAA::2    # A (Customer B)
    10.1.1.1   | 2001:db8:BBBB::1    # B

Sample packet flow:

- Customer A writes 10.10.10.1 (A.A) -> 10.1.1.1 (B)
- A1 translates that into 2001:db8:AAAA::1 -> 2001:db8:BBBB::1
- S1 translates that into 10.10.11.1 -> 10.1.1.1

Response packet flow:

- B writes 10.1.1.1 (B) -> 10.10.11.1 (A.A)
- S1 translates that into 2001:db8:BBBB::1 -> 2001:db8:AAAA::1
- A1 translates that into 10.1.1.1 -> 10.10.10.1

Sample packet flow with optional EAMs included:

- Customer A writes 10.10.10.1 (A.A) -> 10.20.5.1 (B.A)
- A1 translates that into 2001:db8:AAAA::1 -> 2001:db8:AAAA::2
- B1 translates that into 10.10.11.1 -> 10.10.10.1

> Because Jool is using the table mangle I wasn't able to do iplement some more NAT rules because the packets never reached the nat table.
> I would assume this is because the mangle rules already matched. But I have no idea how I have to configure it that I can apply additional NAT rules.

Jool and NAT don't work well together in the same namespace. You can
place them in different namespaces:
https://nicmx.github.io/Jool/en/intro-jool.html#design

On Fri, May 3, 2024 at 6:50 AM Sander Steffann via Jool-list
<jool-list at nic.mx> wrote:
>
> Hi,
>
> > thanks for your answer - quite an interesting idea :-). Just two questions:
> >
> > 1. I forgot to mention that the direction S1 -> A1 or B1 is also required. Means that a service in shared environment has to access a client in customer-a-network (there will be defined ipv4 nat-network for every customer).
>
> Yeah, that won’t work in this setup.
>
> > 2. I tried some configurations but it seems that I have not enough knowledge/understanding how to configure your proposal. May I ask you to show me the jool-commands for a1 and s1? network A can have 10.10.20.X as source network in S1
>
> I need some time to come up with a solution for requirement 1. If I forget, feel free to poke me next week :)
>
> Cheers!
> Sander
>
> _______________________________________________
> Jool-list mailing list
> Jool-list at nic.mx
> https://mail-lists.nic.mx/listas/listinfo/jool-list

More information about the Jool-list mailing list