我正在努力设置一些仅支持 IPv6 网络的 EC2 实例。
其中一些服务器偶尔需要访问由第三方控制的仅限 IPv4 的资源。
亚马逊有一个博客文章从 2022 年 2 月开始,关于使用 NAT 网关来实现这一点。我不想为很少使用的“NAT 网关”支付 $$$,所以我想在实例上运行自己的 NAT 网关t4g.nano
。亚马逊有文档关于如何执行此操作,它使用iptables
运行 Amazon Linux 的实例上的命令。
我们所有的服务器都运行 Ubuntu,我的老板不想让我们引入他必须学习的不同的包管理系统,所以我们想使用 Ubuntu 22.04 来设置 NAT。Ubuntu 22.04 附带nftables
,我想使用它。
我在网上找到了几份有关 nftables NAT 的指南,但没有一份提到 IPv6。
把这些指南中的点点滴滴拼凑在一起,我最终得到了以下结论:
设置
net.ipv4.ip_forward = 1
和net.ipv6.conf.all.forwarding = 1
在sysctl.conf
(实际上在/etc/sysctl.d/forwarding.conf
)创建双栈 NAT 规则
nft add table inet nat nft 'add chain inet nat postrouting { type nat hook postrouting priority 100 ; }' nft add rule inet nat postrouting oifname ens5 masquerade nft 'add chain inet nat prerouting { type nat hook prerouting priority -100 ; }' # Debug output on nft add rule inet nat prerouting meta nftrace set 1 nft add rule inet nat postrouting meta nftrace set 1
验证规则是否存在 (
nft list table inet nat
)table inet nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oifname "ens5" masquerade meta nftrace set 1 } chain prerouting { type nat hook prerouting priority dstnat; policy accept; meta nftrace set 1 } }
在仅支持 IPv6 的机器上生成一些流量
curl -vv http://ip4only.me/api/ * Trying 64:ff9b::4275:27c9:80... * Trying 66.117.39.201:80... * Immediate connect fail for 66.117.39.201: Network is unreachable
使用
tcpdump
和nft monitor
验证到 DNS64 编码地址的流量是否到达此计算机# tcpdump -i ens5 -n port 80 tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes 05:10:52.348952 IP6 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259538098 ecr 0,nop,wscale 7], length 0 05:10:52.349007 IP6 2600:1f18:xxxx:xxxx:36b0:5593:30bc:2d87.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259538098 ecr 0,nop,wscale 7], length 0 05:10:53.357529 IP6 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259539107 ecr 0,nop,wscale 7], length 0 05:10:53.357566 IP6 2600:1f18:xxxx:xxxx:36b0:5593:30bc:2d87.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259539107 ecr 0,nop,wscale 7], length 0 05:10:55.373514 IP6 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259541123 ecr 0,nop,wscale 7], length 0 05:10:55.373549 IP6 2600:1f18:xxxx:xxxx:36b0:5593:30bc:2d87.55882 > 64:ff9b::4275:27c9.80: Flags [S], seq 2015291953, win 62587, options [mss 8941,sackOK,TS val 3259541123 ecr 0,nop,wscale 7], length 0
# nft monitor trace trace id 3b90a155 inet nat prerouting packet: iif "ens5" ether saddr 12:57:f4:30:c4:2e ether daddr 12:b3:8b:26:a9:f1 ip6 saddr 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484 ip6 daddr 64:ff9b::4275:27c9 ip6 dscp cs0 ip6 ecn not-ect ip6 hoplimit 64 ip6 flowlabel 702875 ip6 nexthdr tcp ip6 length 40 tcp sport 42834 tcp dport 80 tcp flags == syn tcp window 62587 trace id 3b90a155 inet nat prerouting rule meta nftrace set 1 (verdict continue) trace id 3b90a155 inet nat prerouting verdict continue trace id 3b90a155 inet nat prerouting policy accept trace id 3b90a155 inet filter forward packet: iif "ens5" oif "ens5" ether saddr 12:57:f4:30:c4:2e ether daddr 12:b3:8b:26:a9:f1 ip6 saddr 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484 ip6 daddr 64:ff9b::4275:27c9 ip6 dscp cs0 ip6 ecn not-ect ip6 hoplimit 63 ip6 flowlabel 702875 ip6 nexthdr tcp ip6 length 40 tcp sport 42834 tcp dport 80 tcp flags == syn tcp window 62587 trace id 3b90a155 inet filter forward verdict continue trace id 3b90a155 inet filter forward policy accept trace id 3b90a155 inet nat postrouting packet: iif "ens5" oif "ens5" ether saddr 12:57:f4:30:c4:2e ether daddr 12:b3:8b:26:a9:f1 ip6 saddr 2600:1f18:xxxx:xxxx:b428:1047:7d73:9484 ip6 daddr 64:ff9b::4275:27c9 ip6 dscp cs0 ip6 ecn not-ect ip6 hoplimit 63 ip6 flowlabel 702875 ip6 nexthdr tcp ip6 length 40 tcp sport 42834 tcp dport 80 tcp flags == syn tcp window 62587 trace id 3b90a155 inet nat postrouting rule oifname "ens5" masquerade (verdict accept)
流量显然已经到达我的 NAT 机器,但似乎从未离开那里进入互联网。
我怎样才能让它工作?