最近在工作中測試環境裏遇到IPv6訪問IPv4的需求場景,加上剛好沒有防火牆可以實現Nat64的需求,索性自己在centos7上使用開源的jool軟件搭建一個NAT64服務器
我在安裝過程中參考的網上的安裝步驟和方法
Git上的jool安裝方法:https://github.com/leblancd/kube-v6/blob/master/NAT64-DNS64-CENTOS7-INSTALL.md
Jool官網提供的安裝步驟:https://www.jool.mx/en/install.html
Jool的Git項目位置:https://github.com/NICMx/jool
安裝CentOS操作系統
不做贅述了,我使用的是CentOS7.5(1804),安裝方式是Server with GUI,分區使用的是CentOS自動分區
關閉selinux和防火牆
vim /etc/selinux/config
將 SELINUX=enforcing 修改爲 SELINUX=disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
systemctl disable firewall
重啓CentOS服務器
安裝開發環境
這一步裏面有個安裝kenel-devel,這個kenel-devel一定不要用公網上的源安裝,公網上的kernel版本一般比安裝的Centos自帶的kernel版本要高,通過公網安裝的kenel-devel的內核版本是和本機的內核不一致的,後面會導致dmks安裝jool的時候報錯,建議這一步使用centos的iso鏡像作爲源安裝開發環境
cd /etc/yum.repos.d/
ll
-rw-r--r--. 1 root root 1664 Apr 29 2018 CentOS-Base.repo
-rw-r--r--. 1 root root 1309 Apr 29 2018 CentOS-CR.repo
-rw-r--r--. 1 root root 649 Apr 29 2018 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 314 Apr 29 2018 CentOS-fasttrack.repo
-rw-r--r-- 1 root root 657 Aug 20 23:34 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Apr 29 2018 CentOS-Sources.repo
-rw-r--r--. 1 root root 4768 Apr 29 2018 CentOS-Vault.repo
將上面列出的repo文件中,除了CentOS-Media.repo其他全部改名
mv CentOS-Base.repo CentOS-Base.repo.bak
mv CentOS-CR.repo CentOS-CR.repo.bak
mv CentOS-Debuginfo.repo CentOS-Debuginfo.repo.bak
mv CentOS-fasttrack.repo CentOS-fasttrack.repo.bak
mv CentOS-Sources.repo CentOS-Sources.repo.bak
mv CentOS-Vault.repo CentOS-Vault.repo.bak
將iso鏡像掛載到/media/cdrom目錄下
yum repolist all
Loading mirror speeds from cached hostfile
repo id repo name status
c7-media CentOS-7 - Media disabled
將c7-media的狀態由disable修改爲enable
yum-config-manager --enable c7-media
Loading mirror speeds from cached hostfile
repo id repo name status
c7-media CentOS-7 - Media enabled: 3,971
安裝開發環境
yum clean all
yum repolist all
yum groupinstall -y "Development Tools"
yum install -y pkgconfig
yum install -y iptables-devel
yum install kernel-devel
yum install kernel-headers
檢查目錄
[root@localhost yum.repos.d]# ll /lib/modules/3.10.0-862.el7.x86_64/
total 3212
lrwxrwxrwx. 1 root root 38 Aug 20 14:52 build -> /usr/src/kernels/3.10.0-862.el7.x86_64
drwxr-xr-x. 3 root root 99 Aug 20 23:47 extra
drwxr-xr-x. 12 root root 128 Aug 20 14:52 kernel
-rw-r--r-- 1 root root 820164 Aug 20 23:48 modules.alias
-rw-r--r-- 1 root root 784670 Aug 20 23:48 modules.alias.bin
-rw-r--r--. 1 root root 1346 Apr 21 2018 modules.block
-rw-r--r--. 1 root root 7091 Apr 21 2018 modules.builtin
-rw-r--r-- 1 root root 8965 Aug 20 23:48 modules.builtin.bin
-rw-r--r-- 1 root root 280744 Aug 20 23:48 modules.dep
-rw-r--r-- 1 root root 387639 Aug 20 23:48 modules.dep.bin
-rw-r--r-- 1 root root 361 Aug 20 23:48 modules.devname
-rw-r--r--. 1 root root 132 Apr 21 2018 modules.drm
-rw-r--r--. 1 root root 82 Apr 21 2018 modules.modesetting
-rw-r--r--. 1 root root 1746 Apr 21 2018 modules.networking
-rw-r--r--. 1 root root 95355 Apr 21 2018 modules.order
-rw-r--r-- 1 root root 490 Aug 20 23:48 modules.softdep
-rw-r--r-- 1 root root 385449 Aug 20 23:48 modules.symbols
-rw-r--r-- 1 root root 473998 Aug 20 23:48 modules.symbols.bin
lrwxrwxrwx. 1 root root 5 Aug 20 14:52 source -> build
drwxr-xr-x. 2 root root 6 Apr 21 2018 updates
drwxr-xr-x. 2 root root 95 Aug 20 14:52 vdso
drwxr-xr-x. 2 root root 6 Apr 21 2018 weak-updates
[root@localhost yum.repos.d]# ll /usr/src/kernels/3.10.0-862.el7.x86_64
total 4492
drwxr-xr-x 32 root root 4096 Aug 20 23:36 arch
drwxr-xr-x 3 root root 78 Aug 20 23:36 block
drwxr-xr-x 4 root root 76 Aug 20 23:36 crypto
drwxr-xr-x 119 root root 4096 Aug 20 23:36 drivers
drwxr-xr-x 2 root root 22 Aug 20 23:36 firmware
drwxr-xr-x 75 root root 4096 Aug 20 23:36 fs
drwxr-xr-x 28 root root 4096 Aug 20 23:36 include
drwxr-xr-x 2 root root 37 Aug 20 23:36 init
drwxr-xr-x 2 root root 22 Aug 20 23:36 ipc
-rw-r--r-- 1 root root 505 Apr 21 2018 Kconfig
drwxr-xr-x 12 root root 236 Aug 20 23:36 kernel
drwxr-xr-x 10 root root 219 Aug 20 23:36 lib
-rw-r--r-- 1 root root 51197 Apr 21 2018 Makefile
-rw-r--r-- 1 root root 2305 Apr 21 2018 Makefile.qlock
drwxr-xr-x 2 root root 58 Aug 20 23:36 mm
-rw-r--r-- 1 root root 1093137 Apr 21 2018 Module.symvers
drwxr-xr-x 60 root root 4096 Aug 20 23:36 net
drwxr-xr-x 14 root root 220 Aug 20 23:36 samples
drwxr-xr-x 13 root root 4096 Aug 20 23:36 scripts
drwxr-xr-x 9 root root 136 Aug 20 23:36 security
drwxr-xr-x 24 root root 301 Aug 20 23:36 sound
-rw-r--r-- 1 root root 3409143 Apr 21 2018 System.map
drwxr-xr-x 17 root root 221 Aug 20 23:36 tools
drwxr-xr-x 2 root root 37 Aug 20 23:36 usr
drwxr-xr-x 4 root root 44 Aug 20 23:36 virt
-rw-r--r-- 1 root root 41 Apr 21 2018 vmlinux.id
將yum.repo.d目錄下的repo文件恢復
mv CentOS-Base.repo.bak CentOS-Base.repo
mv CentOS-CR.repo.bak CentOS-CR.repo
mv CentOS-Debuginfo.repo.bak CentOS-Debuginfo.repo
mv CentOS-fasttrack.repo.bak CentOS-fasttrack.repo
mv CentOS-Sources.repo.bak CentOS-Sources.repo
mv CentOS-Vault.repo.bak CentOS-Vault.repo
安裝其他工具
安裝epel源
yum install -y epel-release
安裝dkms
yum install -y dkms
安裝pkgconfig
yum install -y pkgconfig
安裝libnl3,如果不安裝,後面在configure時會報錯“No package ‘libnl-genl-3.0’ found”
yum install -y libnl3-devel
安裝iptables-devel,如果不安裝,後面在configure時會報錯“No package ‘xtables’ found”
yum install -y iptables-devel
從Git下載jool最新版本
從Git下載jool最新版本
git clone https://github.com/NICMx/Jool.git
安裝jool
dkms install Jool/
cd Jool/
./autogen.sh
./configure
make
make install
加載jool模塊
/sbin/modprobe jool
lsmod |grep jool
jool 179931 0
nf_defrag_ipv6 35104 1 jool
nf_defrag_ipv4 12729 2 jool,nf_conntrack_ipv4
關閉系統自帶的防火牆,並安裝iptables
systemctl stop firewalld
systemctl diable firewalld
yum install -y iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
配置IPv6地址池和轉發規則
配置IPv6地址池,將fec0:1::/96網段的地址NAT成ipv4地址
jool instance add "NAT64" --iptables --pool6 fec0:1::/96
配置iptables轉發規則
ip6tables -t mangle -A PREROUTING -s fec0:1::1 -j ACCEPT
ip6tables -t mangle -A PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
如果需要停用nat64
ip6tables -t mangle -D PREROUTING -s fec0:1::1 -j ACCEPT
ip6tables -t mangle -D PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p icmp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
jool instance remove "NAT64"
/sbin/modprobe -r jool
配置jool模塊開機加載
vim /etc/sysconfig/modules/jool.modules
#!/bin/bash
/sbin/modinfo -F filename jool > /dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/modprobe jool
fi
配置NAT64規則開機加載
vim /etc/rc.local
/usr/local/bin/jool instance add "NAT64" --iptables --pool6 fec0:1::/96
/usr/local/bin/jool instance display
/usr/sbin/ip6tables -t mangle -A PREROUTING -s fec0:1::1 -j ACCEPT
/usr/sbin/ip6tables -t mangle -A PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp --dport 61001:65535 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
Tips:
做完上面的配置之後Server本身ping IPv4的地址會不通,但是可以正常上網,貌似就只有ping有問題,目前暫未找到解決辦法