v6/v4 DNAT-like functionality in Linux
Ben Jencks
ben at bjencks.net
Tue Jul 6 20:11:25 CEST 2010
(This is a little OT because it's for a private network, but it could
have relevance to content providers as well.)
Here's the problem: I currently run IPv4 on a private network, and use
a Linux router with DNAT and SNAT/MASQUERADE on the edges to let
internal hosts open outbound tcp connections with specific external
hosts on specific ports, also over IPv4. I'd like to use IPv6 in the
private network, but still do the same DNAT to IPv4 so that it looks
the same from outside. That is, I want to be able to say something
like
ip6tables -t nat -A PREROUTING -p tcp -d 2001:0db8:dead:beef::1234/128
--dport 5678 -j DNAT64 --to 192.0.2.50:2345 --v4-source 192.0.2.49
The only thing I've found is ecdysis, but that's clearly limited to
providing general internet access, not allowing arbitrary
port-specific redirects. A similar thing in reverse would also be
useful, to catch v4 tcp streams and redirect them to v6 addresses.
I might be able to rig something up with netcat6 piped to itself, but
that sounds fragile, and it would be nice to just do it in netfilter.
Also, there doesn't seem to be any pure-v6 DNAT functionality either,
to redirect v6 tcp streams to a local address.
Is there such a module? Am I missing another, possibly more generic,
way of doing things? Does anyone else have this need? Is there a
better forum for this question?
-Ben
More information about the ipv6-ops
mailing list