home
首页
login Sign in person_add Sign up
avatar
busylog

NAT64 with tayga in netns

inspired by https://openwrt.org/docs/guide-user/network/ipv6/nat64

iface jool inet manual
  address 10.64.64.1
  address fe80::6464
  netmask 255.255.255.0
  pre-up ip link add $IFACE type veth peer ${IFACE}_ ||:
  pre-up ip netns add jool ||:
  pre-up ip link set dev ${IFACE}_ netns jool
  post-up ip netns exec jool /sbin/ip link set ${IFACE}_ up
  post-up ip netns exec jool /sbin/ip addr add dev ${IFACE}_ 10.64.64.2/24
  post-up ip netns exec jool /sbin/ip addr add dev ${IFACE}_ fe80::64
  post-up ip netns exec jool /sbin/ip route add default via 10.64.64.1
  # this is the return path. or use fc00::/7
  post-up ip netns exec jool /sbin/ip route add 2000::/3 via fe80::6464 dev ${IFACE}_
  post-up ip netns exec jool /sbin/sysctl -w net.ipv4.conf.all.forwarding=1
  post-up ip netns exec jool /sbin/sysctl -w net.ipv6.conf.all.forwarding=1
  post-up ip route add 64:ff9b::/96 via fe80::64 dev $IFACE ||:
  post-up sysctl -w net.ipv4.conf.$IFACE.forwarding=1
  post-up iptables -A FORWARD -o $IFACE -j ACCEPT
  post-up iptables -A FORWARD -i $IFACE -j ACCEPT
  pre-down iptables -D FORWARD -o $IFACE -j ACCEPT ||:
  pre-down iptables -D FORWARD -i $IFACE -j ACCEPT ||:
  post-down ip link del $IFACE ||:

and tayga activation:

modprobe tun
ifup jool
mkdir -p /var/db
ip netns exec jool tayga --mktun
ip netns exec jool ip link set nat64 up
ip netns exec jool ip addr add 192.168.255.1 dev nat64
ip netns exec jool ip addr add fd64::2 dev nat64
ip netns exec jool ip route add 64:ff9b::/96 dev nat64
ip netns exec jool ip route add 192.168.255.0/24 dev nat64
# this is different from jool, sadly this is double nat.
ip netns exec jool iptables -t nat -A POSTROUTING -o jool_ -j MASQUERADE
sysctl -w net.ipv4.conf.eth0.forwarding=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# -i eth0 or -o eth0 is optional
#iptables -A FORWARD -o jool -j ACCEPT
#iptables -A FORWARD -i jool -j ACCEPT
# debug is -d
ip netns exec jool tayga

then you can ping 64:ff9b::1.1.1.1 from outside netns.

basic ip(6)tables rules to prevent ssh lock:

for i in iptables ip6tables; do
  for t in INPUT FORWARD OUTPUT; do
    $i -F $t; $i -P $t ACCEPT
  done
$i -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT ||:
$i -A OUTPUT -p tcp -m state --state ESTABLISHED -j ACCEPT ||:
$i -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT ||:
done
mode_comment
avatar
busylog
@busylog
calendar_month
加入
0 关注中 0 关注者
更多来自 busylog
resolve pk.fail and deploy Microsoft UEFI CA 2023 / KB5025885 Use as few drive letters as possible in Windows? curl/chrome resolve to SNI proxy