Skip to content
A kernel module that turns MASQUERADE into full cone SNAT
C Makefile Perl 6
Branch: dkms
Clone or download
Pull request Compare This branch is 3 commits ahead, 3 commits behind Chion82:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
ipt
.gitignore
LICENSE
Makefile
README.md
dkms.conf
xt_fullconenat.c

README.md

Implementation of RFC3489-compatible full cone SNAT.

Assuming eth0 is external interface:

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE  
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT  #automatically restore NAT for inbound packets

Currently only UDP traffic is supported for full-cone NAT. For other protos FULLCONENAT is equivalent to MASQUERADE.

Build

Prerequisites:

  • kernel source
  • iptables source ( git://git.netfilter.org/iptables.git )

Confirm the kernel configuration option CONFIG_NF_CONNTRACK_EVENTS is enabled. If this option is disabled on your system, enable it and rebuild your netfilter modules.

Kernel Module

$ make
# insmod xt_FULLCONENAT.ko

Iptables Extension

  1. Copy libipt_FULLCONENAT.c to iptables-source/extensions.

  2. Under the iptables source directory, ./configure(use --prefix to replace your current iptables by looking at which iptables), make and make install

OpenWRT

Package for openwrt is available at https://github.com/LGA1150/openwrt-fullconenat

Usage

Assuming eth0 is external interface:

Basic Usage:

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT

Random port range:

iptables -t nat -A POSTROUTING -o eth0 ! -p udp -j MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -p udp -j FULLCONENAT --to-ports 40000-60000 --random-fully

iptables -t nat -A PREROUTING -i eth0 -p udp -m multiport --dports 40000:60000 -j FULLCONENAT

Hairpin NAT (Assuming eth1 is LAN interface and IP range for LAN is 192.168.100.0/24):

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.100.0/24 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT
iptables -t nat -A PREROUTING -i eth1 -j FULLCONENAT

kernel Patch (Optional.)

  1. Copy xt_FULLCONENAT.c to kernel-source/net/netfilter/xt_FULLCONENAT.c
  2. Append following line to kernel-source/net/netfilter/Makefile:
obj-$(CONFIG_NETFILTER_XT_TARGET_FULLCONENAT) += xt_FULLCONENAT.o
  1. Insert following section into kernel-source/net/ipv4/netfilter/Kconfig right after config IP_NF_TARGET_NETMAP section:
config IP_NF_TARGET_FULLCONENAT
  tristate "FULLCONENAT target support"
  depends on NETFILTER_ADVANCED
  select NETFILTER_XT_TARGET_FULLCONENAT
  ---help---
  This is a backwards-compat option for the user's convenience
  (e.g. when running oldconfig). It selects
  CONFIG_NETFILTER_XT_TARGET_FULLCONENAT.

  1. Insert following section into kernel-source/net/netfilter/Kconfig right after config NETFILTER_XT_TARGET_NETMAP section:
config NETFILTER_XT_TARGET_FULLCONENAT
  tristate '"FULLCONENAT" target support'
  depends on NF_NAT
  ---help---
  Full Cone NAT

  To compile it as a module, choose M here. If unsure, say N.

  1. Run make menuconfig and select: Networking support -> Network options -> Network packet filtering framework (Netfilter) -> IP: Netfilter Configuration -> <M> FULLCONENAT target support
You can’t perform that action at this time.