SNAT in IP6Tables

linux iptables ipv6

Solution 1:

EDIT**: You need a 3.7+ kernel as that's when they released the NAT table for ipv6. Then you use iptables 1.4.17 and you can use the simple command of:

  • ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ORIGINAL**:

Under the netfilter website you can find:

  • all kinds of network address and port translation, e.g. NAT/NAPT (IPv4 and IPv6)

From the ipv6 man page (http://linux.die.net/man/8/ip6tables)

  • SNAT
  • A virtual state, matching if the original source address differs from the reply destination.
  • DNAT
  • A virtual state, matching if the original destination differs from the reply source.

So it appears to be possible. But I have not found examples of its usage.

Solution 2:

I have a nat table:

apoc ~ # ip6tables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

And can write SNAT rules:

apoc ~ # ip6tables -t nat -A POSTROUTING -o eth1 -j SNAT --to 2001:db8::1
apoc ~ # ip6tables -t nat -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 SNAT       all      *      eth1    ::/0                 ::/0                 to:2001:db8::1

This is on ArchLinux with kernel 3.10.7-1-ARCH; it is a fairly recent addition to the netfilter code.

I must reiterate Michael Hampton though:

Not to mention, if you're even thinking about NAT in the context of an IPv6 deployment, something is horribly wrong and you need to revisit your network design.

Solution 3:

There is no NAT with IPv6. One of the main points of IPv6 is to eliminate NAT. NAT was invented (primarily) as a way to stretch out the usable amount of IPv4 space. With IPv6, we're getting back to the original design of all end-points on the Internet being addressable from all other end-points.

Related

Apache start failing after apache config modifications, showing syntax error, cannot load php5apache2_2.dll into server
Why use LVM? It creates more borders (less freedom)
MySQL Socket configuration issue in my.cnf
Moving an IIS 7 application into Default Website without removing and re-creating it
server name in background
Securing Apache Solr in production
Openssl Custom Extension
nginx deny user agent causes error when not encapsulated in quotes
nmap reports host up when it isn't
Debian Hostname refusing to stick
rsynced files not getting proper ACL
Office 365 Powershell - Export user, license type, and company field to csv file