IPv4 to IPv6 static NAT-PT by Linux box running NAPTD

If a client in IPv4-only network, wants to access servers in IPv6-only network, a Linux box can be setup between 2 networks, working as a gateway. It runs NAPTD software, which does IPv4 to IPv6 NATing.
I am going to setup 3 virtual machines to simulate this setup.
The network topology is:

3 VMs are running RHEL/CentOS 7.2 Linux.

IPv4 node setup
Setup eth1 ipv4 address by editting ifcfg-eth1 file:

[root@ipv4 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED=no
TYPE=Ethernet
IPADDR=172.34.0.2
PREFIX="24"
BOOTPROTO=static
ONBOOT=yes
Start eth1:
ifdown eth1 && ifup eth1
IPv6 node setup
Setup eth1 ipv6 address by editting ifcfg-eth1 file:
[root@ipv6 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED=no
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:a:b:c::2/64
Setup route to NAPTD virtual network by creating route6-eth1 file:

[root@ipv6 ~]# cat /etc/sysconfig/network-scripts/route6-eth1
2000:ffff::/64 via 2001:a:b:c::1
Start eth1:
ifdown eth1 && ifup eth1
Setup NAT-PT gateway node
Configure IPv4 and IPv6 interfaces
Setup eth1 ipv6 address:
[root@natpt ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
NM_CONTROLLED=no
TYPE=Ethernet
BOOTPROTO=static
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:a:b:c::1/64
Setup eth2 ipv4 address:
[root@natpt ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
NM_CONTROLLED=no
TYPE=Ethernet
IPADDR=172.34.0.1
PREFIX="24"
BOOTPROTO=static
ONBOOT=yes
Start eth1 and eth2 ports:
ifdown eth1 && ifup eth1
ifdown eth2 && ifup eth2

Install and configure naptd

Download RPM package from  http://tomicki.net/naptd.download.php
Install naptd rpm package:
yum install naptd-0.4-1.i386.rpm
It also installs some dependencies from RHEL7 base OS repo, so make sure you have that repo configured.
Install iptables, it's needed by naptd:
yum install iptables
Run naptd-confmaker to generate naptd configuration file, it'a interactive tool to ask you several questions about how you want to use naptd:
[root@natpt ~]# naptd-confmaker
Ataga IPv4/IPv6 NAPT Configuration Maker
(c) 2005 by Lukasz Tomicki <[email protected]>

Do you want to create a new configuration? [Y/n]

Do you want IPv4 addresses from the outside interfaces to be automatically used as part of the NAT pool? [Y/n]

Do you want to configure additional address as part of your NAT pool? [y/N]
n
Do you want to create a pool of public IPv4 addresses that will allow incoming connections to be dynamically mapped to appropriate IPv6 addresses? [y/N]
n
Do you want to create static mappings of public IPv4 addresses that will allow incoming connections to reach IPv6 hosts? [y/N]
y
IPv4 address: 172.34.0.102
IPv6 address: 2001:a:b:c::2

Do you want to enter another static mapping? [y/N]
n
Enter the name of the first inside (IPv6) interface that you want NAT-PT to listen on.
interface (eth0 eth1 eth2): eth1

Do you want to enter more interfaces? [y/N]
n
Enter the name of the first outside (IPv4) interface that you want NAT-PT to listen on.
interface (eth0 eth1 eth2): eth2

Do you want to enter more interfaces? [y/N]
n
Enter the TCP translation timeout in seconds [86400]:
Enter the UDP translation timeout in seconds [3600]:
Enter the ICMP translation timeout in seconds [30]:

Enter the IPv6 prefix that will be used as the destination for translations.
prefix [2000:ffff::]:

Please enter the IPv4 address of the DNS server you are currently using.
IPv4 DNS server: 127.0.0.1

You can configure hosts for automatic DNS translation by using the DNS server below.
IPv6 DNS Server: 2000:ffff::7f00:1

Thank you for choosing Ataga as you IPv4/IPv6 NAT-PT solution.
Setup is now complete. Type 'naptd' to start NAT-PT.
Setup necessary iptables and ip6tables rules to make naptd working:
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type 1 -j DROP
ip6tables -A FORWARD -d 2000:ffff:: -j DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j DROP
Finally, start naptd daemon:

[root@natpt ~]# naptd
Going daemon. Check syslog messages for runtime information.
You should see some logs like:

[root@natpt ~]# tail -n 20 /var/log/messages
Jan 27 00:44:36 natpt naptd[2229]: Starting NAT-PT.
Jan 27 00:44:36 natpt naptd[2230]: Initializing Application Level Gateways.
Jan 27 00:44:36 natpt naptd[2230]: Loaded Domain Name Service plugin.
Jan 27 00:44:36 natpt naptd[2230]: Loaded File Transfer Protocol plugin.
Jan 27 00:44:36 natpt naptd[2230]: Dispatching threads.
Jan 27 00:44:36 natpt kernel: device eth2 entered promiscuous mode
Jan 27 00:44:36 natpt kernel: device eth1 entered promiscuous mode
Jan 27 00:44:37 natpt naptd[2230]: Loading IPv4 routes into cache.
Jan 27 00:44:37 natpt naptd[2230]: Loading IPv6 routes into cache.
Jan 27 00:44:37 natpt naptd[2230]: Dropping root privileges.
Jan 27 00:44:37 natpt naptd[2230]: NAT-PT initialized.
Try to connect IPv6 node from IPv4 node
Now we have everything set, we know we have a static mapping, which map 172.34.0.102 to 2001:a:b:c::2, so let's try to ping IPv6 node via this gateway:
[root@ipv4 ~]# ping 172.34.0.102
PING 172.34.0.102 (172.34.0.102) 56(84) bytes of data.
64 bytes from 172.34.0.102: icmp_seq=1 ttl=63 time=0.703 ms
64 bytes from 172.34.0.102: icmp_seq=2 ttl=63 time=0.759 ms
64 bytes from 172.34.0.102: icmp_seq=3 ttl=63 time=0.544 ms
64 bytes from 172.34.0.102: icmp_seq=4 ttl=63 time=0.688 ms
^C
--- 172.34.0.102 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 0.544/0.673/0.759/0.083 ms
It works!!!
 
We can look into more details how it works.
From NAT-PT gateway node, we can tcpdump IPv4 port to see IPv4 side packets:
[root@natpt ~]# tcpdump -nni eth2 arp or icmp
01:38:18.859504 ARP, Request who-has 172.34.0.102 tell 172.34.0.2, length 28
01:38:18.859569 ARP, Reply 172.34.0.102 is-at 52:54:00:93:2a:7e, length 28
01:38:18.859741 IP 172.34.0.2 > 172.34.0.102: ICMP echo request, id 2211, seq 1, length 64
01:38:18.860216 IP 172.34.0.102 > 172.34.0.2: ICMP echo reply, id 2211, seq 1, length 64
So we can see first naptd responses ARP request against 172.34.0.102, then we see icmp request and reply packets flying.
How about IPv6 side? Let's take a look:
[root@natpt ~]# tcpdump -nni eth1 icmp6
01:42:37.688777 IP6 2000:ffff::ac22:2 > 2001:a:b:c::2: ICMP6, echo request, seq 1, length 64
01:42:37.689107 IP6 2001:a:b:c::2 > 2000:ffff::ac22:2: ICMP6, echo reply, seq 1, length 64
01:42:38.689037 IP6 2000:ffff::ac22:2 > 2001:a:b:c::2: ICMP6, echo request, seq 2, length 64
01:42:38.689478 IP6 2001:a:b:c::2 > 2000:ffff::ac22:2: ICMP6, echo reply, seq 2, length 64
We can see on IPv6 side, source IP is replaced with 2000:ffff::ac22:2, this is a virtual IPv6 network used by naptd to do SNAT. 2000:ffff is the prefix defined during naptd-confmaker run.

猜你喜欢

转载自www.cnblogs.com/sunwanglin/p/12438963.html
今日推荐