How about ip6tables -t mangle -A PREROUTING --destination 64:ff9b::192.0.2.0/120 -j MARK --set-mark 1 ip6tables -t mangle -A PREROUTING --destination 64:ff9b::203.0.113.0/120 -j MARK --set-mark 2
On Tue, May 22, 2018 at 2:14 PM, Martin Weinelt <[email protected]> wrote: > Hello Alberto, > > thanks for your answers so far. > > I've looked into the sockmark approach and that does not work, because > what I need is an approach that works based on the IPv4 destination > address, not the IPv6 source address. > > The netns approach looks a bit more involved, I still have to look into > that. > > > Best regards, > > Martin > > > > On 05/22/2018 02:29 AM, Alberto Leiva wrote: >> Still haven't found the problem. It does seem to be the case that Jool >> packets traverse through the postrouting mangle table, but not the nat >> one. It's pretty odd. >> >> In any case, trying to replicate your problem I noticed that one of >> Jool's features could simplify the solution, without using special >> namespaces. >> >> Basically, you can tell Jool "mask these packets with these addresses, >> mask these other packets with these other addresses." The masking >> decision is based on the packet mark, which you can customize using >> standard iptables rules: >> >> # During IPv6 prerouting, set mark 1 for packets that should be masked >> # with the public address. >> # (In this example, packets from the 2001:db8:1::/64 network should be >> # masked with the public address, but you can use other ip6tables >> # matches.) >> ip6tables -t mangle -A PREROUTING --source 2001:db8:1::/64 -j MARK >> --set-mark 1 >> >> # During IPv6 prerouting, set mark 2 for packets that should be masked >> # with the private address. >> ip6tables -t mangle -A PREROUTING --source 2001:db8:2::/64 -j MARK >> --set-mark 2 >> >> # Tell Jool that packets marked 1 should be masked with your public >> # address. >> jool --pool4 --add 1.2.3.4 --mark 2 >> >> # Tell Jool that packets marked 2 should be masked with your private >> # address. >> jool --pool4 --add 192.168.0.1 --mark 1 >> >> See the pool4 documentation for more: https://jool.mx/en/pool4.html >> >> On Mon, May 21, 2018 at 11:31 AM, Alberto Leiva <[email protected]> wrote: >>> Oh, I forgot: Here's how to enclose Jool in a network namespace: >>> >>> https://jool.mx/en/usr-flags-instance.html >>> https://jool.mx/en/node-based-translation.html >>> >>> Both documentation pieces intend to do something slightly different >>> from what you're doing, but should be easy to adapt. >>> >>> On Mon, May 21, 2018 at 11:29 AM, Alberto Leiva <[email protected]> wrote: >>>>> IPv4 packets created by Jool do not seem to pass the >>>>> nat postrouting chain in netfilter >>>> >>>> Hmm? This is odd. The kernel code says otherwise. Might be a bug; I'll >>>> test it now. >>>> >>>> Anyway, this is how it's supposed to work: >>>> https://jool.mx/en/intro-jool.html#design >>>> >>>> Check both diagrams. Assuming that Jool packets are really skipping >>>> the postrouting chain, you could enclose it in a network namespace >>>> (the red box) so you can use the outer namespace's (not red box) >>>> postrouting chain. There is no way that one will be skipped if you do >>>> that. >>>> >>>> On Sun, May 20, 2018 at 9:48 AM, Martin Weinelt >>>> <[email protected]> wrote: >>>>> Hi everyone, >>>>> >>>>> I'm currently building my first NAT64 setup and have stumbled upon a >>>>> problem. >>>>> >>>>> When I use our public IPv4 address as pool4 I can access the internet >>>>> just fine, except that I additionally need to be able to reach some >>>>> private ipv4 addresses over site-to-site tunnels as well, where that >>>>> source address doesn't work. >>>>> >>>>> This is why I though of using a bunch of private IPv4 addresses to map >>>>> the NAT64 against, so they'll work for the s2s tunnel and where I can >>>>> additionally make use of NAT44 towards the internet. >>>>> >>>>> The issue is that IPv4 packets created by Jool do not seem to pass the >>>>> nat postrouting chain in netfilter, where masquerading would happen. >>>>> Instead I now have private IPv4 address being used as saddr towards the >>>>> internet, which cannot work either. >>>>> >>>>> I'd appreciate some help! >>>>> >>>>> >>>>> Best regards, >>>>> >>>>> Martin >>>>> _______________________________________________ >>>>> Jool-list mailing list >>>>> [email protected] >>>>> https://mail-lists.nic.mx/listas/listinfo/jool-list _______________________________________________ Jool-list mailing list [email protected] https://mail-lists.nic.mx/listas/listinfo/jool-list
