Linux – SNAT in IP6Tables

iptablesipv6linux

Netfilter says they have support for SNAT and DNAT for ipv6. I look under the man pages of ip6tables and see that there is SNAT and DNAT listed. So my question is how do you make rules for them? I tried using the same structure of the rules for iptables, but ip6tables does not have a nat table and SNAT/DNAT are virtual states. So I don't know what modifications to make from an example like:

iptables -t nat -A POSTROUTING -o eth0 -j SNAT –to 1.2.3.4

to be applicable to ip6tables. Thanks for the help!

Best Answer

EDIT**: You need a 3.7+ kernel as that's when they released the NAT table for ipv6. Then you use iptables 1.4.17 and you can use the simple command of:

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ORIGINAL**:

Under the netfilter website you can find:

all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)

From the ipv6 man page (http://linux.die.net/man/8/ip6tables)

SNAT
A virtual state, matching if the original source address differs from the reply destination.
DNAT
A virtual state, matching if the original destination differs from the reply source.

So it appears to be possible. But I have not found examples of its usage.

Related Solutions

Iptables and SNAT

Remove the three rules you have above and try adding this:

$IPTABLES -t NAT -A POSTROUTING -s 192.x.y.a -j SNAT 192.x.y.b
$IPTABLES -A FORWARD -s 192.x.y.a -J ACCEPT

And enter the following command:

echo 1 > /proc/sys/net/ipv4/ip_forward

You should also have a rule similar to the following in your firewall:

$IPTABLES -t FILTER -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

That will take care of all established/related connections, instead of making a rule for each one.

IPTables: NAT multiple IPs to one public IP

You can't do 1-to-1 NAT with only 1 outside IP address when you're working with 2 internal hosts. The reason is because the firewall will never have a true destination for outside source connections, unless one of the internal hosts is down. In this case, you would require 2 iptables rules to provide round-robin functionality:

$ipt -t nat -A PREROUTING -s $srcip -d $wanip -j DNAT --to 192.168.1.2
$ipt -t nat -A PREROUTING -s $srcip -d $wanip -j DNAT --to 192.168.1.3

Also, your "DNAT: Multiple --to-destination not supported" error comes from the capability of specifying more than 1 DNAT destination being removed from the version you're running (v1.4.14). This functionality was removed in favor of the round-robin functionality.

If you want to allow multiple hosts a connection to the internet, you must use the POSTROUTING chain of the NAT table as follows:

$ipt -t nat -A POSTROUTING -o $wanif -s $lan_network -j MASQUERADE

MASQUERADE is used with dynamic IP configurations. For static IP, use SNAT in place of MASQUERADE:

$ipt -t nat -A POSTROUTING -o $wanif -s $lan_network -j SNAT --to $wanip

This will not, however, make the open ports on your internal hosts available to the outside world. DNAT is used for outside->inside and SNAT is used for inside->outside for basic scenarios like yours.

Best Answer

Related Solutions

Iptables and SNAT

IPTables: NAT multiple IPs to one public IP

Related Topic