llccd / netfilter-full-cone-nat Goto Github PK

View Code? Open in Web Editor NEW

This project forked from chion82/netfilter-full-cone-nat

67.0 5.0 19.0 91 KB

A kernel module to turn MASQUERADE into full cone SNAT

License: GNU General Public License v2.0

C 97.92% Makefile 1.12% Terra 0.46% Shell 0.50%

netfilter-full-cone-nat's Introduction

Implementation of RFC3489-compatible full cone SNAT.

Assuming eth0 is external interface:

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE  
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT  #automatically restore NAT for inbound packets

Currently only UDP traffic is supported for full-cone NAT. For other protos FULLCONENAT is equivalent to MASQUERADE.

Build

Prerequisites:

kernel source
iptables source ( git://git.netfilter.org/iptables.git )

Confirm the kernel configuration option CONFIG_NF_CONNTRACK_EVENTS is enabled. If this option is disabled on your system, enable it and rebuild your netfilter modules.

Kernel Module

$ make
# insmod xt_FULLCONENAT.ko

Iptables Extension

Copy libipt_FULLCONENAT.c to iptables-source/extensions.
Under the iptables source directory, ./configure(use --prefix to replace your current iptables by looking at which iptables), make and make install

OpenWRT

Package for openwrt is available at https://github.com/LGA1150/openwrt-fullconenat

Usage

Assuming eth0 is external interface:

Basic Usage:

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT

Random port range:

iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully

iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT

Hairpin NAT (Assuming eth1 is LAN interface and IP range for LAN is 192.168.100.0/24):

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth1 -j FULLCONENAT

kernel Patch (Optional.)

Copy xt_FULLCONENAT.c to kernel-source/net/netfilter/xt_FULLCONENAT.c
Append following line to kernel-source/net/netfilter/Makefile:

obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o

Insert following section into kernel-source/net/ipv4/netfilter/Kconfig right after config IP_NF_TARGET_NETMAP section:

config IP_NF_TARGET_FULLCONENAT
  tristate "FULLCONENAT target support"
  depends on NETFILTER_ADVANCED
  select NETFILTER_XT_TARGET_FULLCONENAT
  ---help---
  This is a backwards-compat option for the user's convenience
  (e.g. when running oldconfig). It selects
  CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.

Insert following section into kernel-source/net/netfilter/Kconfig right after config NETFILTER_XT_TARGET_NETMAP section:

config NETFILTER_XT_TARGET_FULLCONENAT
  tristate '"FULLCONENAT" target support'
  depends on NF_NAT
  ---help---
  Full Cone NAT

  To compile it as a module, choose M here. If unsure, say N.

Run make menuconfig and select: Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> <M> FULLCONENAT target support

License

netfilter-full-cone-nat's People

Contributors

Stargazers

Watchers

Forkers

lllrrr windendless pexcn-todo txyiezero hxhgts coolsnowwolf pexcn-archived chrisliu0343 evsio0n zfdx123 yujincheng08 debiansid raven-au zxlhhyccc edward-p 8neznhg7u73i lilu0826 3rd-mirror e3hub

netfilter-full-cone-nat's Issues

请问是否可以支持nftables

您好亲爱的开发者，我最近在看fullcone的时候看到了您的这个库，效果很好搭配iptables，请问该模块是否可以与nftables一起使用，或者我们应该修改哪些东西使他们可以兼容一起使用，谢谢，希望得到您的回复

Consider adding a MODULE_VERSION()?

If no version is set, dkms will have problem removing modules.
Although dkms has fixed this issue (dell/dkms#291), but I still recommend adding a MODULE_VERSION

Push the kernel module to offical repo

Seems that this module could push to openwrt/packages, so it could installed without build from souce, just using opkg.

fullconet在iptables更新到1.8.8版本后不再兼容了。。。。，烦请大佬修复！！

变现在编译报错，去掉iptable的060补丁后能编译通过，但刷入机器后不能启动，导致所有网络不通。。。。

$ sudo make
make -C /lib/modules/6.1.0-20-amd64/build M= modules
make[1]: Entering directory '/usr/src/linux-headers-6.1.0-20-amd64'
SYNC include/config/auto.conf.cmd
GEN Makefile
/usr/src/linux-headers-6.1.0-20-common/scripts/Makefile.build:44: /usr/src/linux-headers-6.1.0-20-common/scripts/basic/Makefile: No such file or directory
make[3]: *** No rule to make target '/usr/src/linux-headers-6.1.0-20-common/scripts/basic/Makefile'. Stop.
make[2]: *** [/usr/src/linux-headers-6.1.0-20-common/Makefile:650: scripts_basic] Error 2
/usr/src/linux-headers-6.1.0-20-common/Makefile:792: include/config/auto.conf.cmd: No such file or directory
make[1]: *** [/usr/src/linux-headers-6.1.0-20-common/Makefile:815: include/config/auto.conf.cmd] Error 2
make[1]: *** [include/config/auto.conf.cmd] Deleting file 'include/generated/rustc_cfg'
make[1]: *** [include/config/auto.conf.cmd] Deleting file 'include/generated/autoconf.h'
make[1]: Leaving directory '/usr/src/linux-headers-6.1.0-20-amd64'
make: *** [Makefile:13: all] Error 2

xt_FULLCONENAT.c:328:24: error: implicit declaration of function ‘prandom_u32’; did you mean ‘prandom_u32_max’? [-Werror=implicit-function-declaration]
  328 |     start = (uint16_t)(prandom_u32() % (u32)range_size);
      |                        ^~~~~~~~~~~
      |                        prandom_u32_max
cc1: some warnings being treated as errors