阅读这篇文章,你可能需要了解什么是 Fullcone NAT
摘自网络
1.Full Cone:IP Port不受限
Full Cone仅仅做单纯的地址转换,不正确进出的包做限定。
2.Restricted Cone:IP受限,Port不受限
Restricted Cone NAT会对进出的包稍加限制。从内部送发出的包的目的IP会被记住。
仅仅有这些以前收过包的地址能够发送包进入NAT。其他地址发送的包都会被限制。
3.Restricted Port Cone:IP,Port均受限
Restricted Port Cone NAT相对于Restricted Cone NAT添加了port这层限制。
4.Symmetric NAT:Port,IP均受限,且对每一个外部主机或port的会话都会映射为不同的port(洞)
Symmetric NAT是4种中最为严谨的。前3种做地址转换时,不管包送往何处,NAT内部同一个内部地址都相应到同一个外部地址。而Symmetric NAT则每个内部地址相应到不同的外部地址。Symmetric NAT仅仅同意先由私有网络内的使用者发送包到的外部地址能够回传封包。
简单来说,如果你有需求让每个设备都能和公网上的设备进行游戏联机,那Fullcone NAT/ NAT 1你是必须要的。
目前基本上所有路由器都支持Fullcone NAT了,但是服务器基本上内核都不会启用Fullcone NAT这个东西。我之前用wireguard组网的时候,发现没办法和朋友联机,因此研究了如何让Linux服务器支持Fullcone NAT。
我们可以使用 Chion82 写的一个模块,让Linux服务器支持Fullcone NAT。
以下教程基于 CentOS 7.7 64bit,使用的源代码是 https://github.com/Chion82/netfilter-full-cone-nat
我们先安装一下基本的依赖,请注意你的服务器的内核需要安装完整的kernel,tools,devel,headers
yum install gcc gcc-c++ autoconf autogen libmnl libmnl-devel libtool-devel libtool -y获取所需要的源代码
git clone git://git.netfilter.org/libnftnl.git
git clone git://git.netfilter.org/iptables.git
git clone https://github.com/Chion82/netfilter-full-cone-nat.git编译 libnftnl 并安装
cd libnftnl
sh autogen.sh
./configure
make
make install编译 netfilter-full-cone-nat模块
cd ~/netfilter-full-cone-nat
make
modprobe nf_nat
insmod xt_FULLCONENAT.ko编译iptables 1.8.4
cp ~/netfilter-full-cone-nat/libipt_FULLCONENAT.c ~/iptables/extensions/
cd ~/iptables
ln -sfv /usr/sbin/xtables-multi /usr/bin/iptables-xml
./autogen.sh
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
export PKG_CONFIG_PATH
./configure
make
make install更新 iptables
#先关闭iptables
systemctl stop iptables
#删除原来的iptables
rm -rf /sbin/iptables
rm -rf /sbin/iptables-restore
rm -rf /sbin/iptables-save
#复制你自己编译的iptables
cd /usr/local/sbin
cp /usr/local/sbin/iptables /sbin/
cp /usr/local/sbin/iptables-restore /sbin/
cp /usr/local/sbin/iptables-save /sbin/
#检验iptables版本
iptables -V设置开机自动加载Fullcone模块
kernel=`uname -r`
cp ~/netfilter-full-cone-nat/xt_FULLCONENAT.ko /lib/modules/$kernel/
depmod
echo "modprobe xt_FULLCONENAT" > /etc/sysconfig/modules/xt_FULLCONENAT.modules
chmod 755 /etc/sysconfig/modules/xt_FULLCONENAT.modules
reboot
lsmod | grep xt_FULLCONENAT(有项目)iptables 设置 fullcone 规则
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets
service iptables save南ことり の 小窝原创文章,转载请注明来自:简单操作使 CentOS 支持 Fullcone NAT
编译 netfilter-full-cone-nat模块的时候报错了,是缺少什么东西吗?
# make
make -C /lib/modules/3.10.0-1062.18.1.el7.x86_64/build M=/root/netfilter-full-cone-nat modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-1062.18.1.el7.x86_64′
CC [M] /root/netfilter-full-cone-nat/xt_FULLCONENAT.o
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c:45:34: error: conflicting types for \u2018xt_in\u2019
static inline struct net_device *xt_in(const struct xt_action_param *par) {
^
In file included from /root/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:52:40: note: previous definition of \u2018xt_in\u2019 was here
static inline const struct net_device *xt_in(const struct xt_action_param *par)
^
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c: In function \u2018xt_in\u2019:
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c:46:3: warning: return discards \u2018const\u2019 qualifier from pointer target type [enabled by default]
return par->in;
^
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c: At top level:
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c:49:34: error: conflicting types for \u2018xt_out\u2019
static inline struct net_device *xt_out(const struct xt_action_param *par) {
^
In file included from /root/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:62:40: note: previous definition of \u2018xt_out\u2019 was here
static inline const struct net_device *xt_out(const struct xt_action_param *par)
^
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c: In function \u2018xt_out\u2019:
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c:50:3: warning: return discards \u2018const\u2019 qualifier from pointer target type [enabled by default]
return par->out;
^
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c: At top level:
/root/netfilter-full-cone-nat/xt_FULLCONENAT.c:53:28: error: redefinition of \u2018xt_hooknum\u2019
static inline unsigned int xt_hooknum(const struct xt_action_param *par) {
^
In file included from /root/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:72:28: note: previous definition of \u2018xt_hooknum\u2019 was here
static inline unsigned int xt_hooknum(const struct xt_action_param *par)
^
make[2]: *** [/root/netfilter-full-cone-nat/xt_FULLCONENAT.o] Error 1
make[1]: *** [_module_/root/netfilter-full-cone-nat] Error 2
make[1]: Leaving directory `/usr/src/kernels/3.10.0-1062.18.1.el7.x86_64′
make: *** [all] Error 2
emmm,我康了康源码,把报错的地方注释掉就好了,感谢博主
兄弟 你编译成功了吗
[root@vpc_asr3 netfilter-full-cone-nat]# make
make -C /lib/modules/3.10.0-1127.el7.x86_64/build M=/opt/netfilter-full-cone-nat modules
make[1]: Entering directory `/usr/src/kernels/3.10.0-1127.el7.x86_64′
CC [M] /opt/netfilter-full-cone-nat/xt_FULLCONENAT.o
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:45:34: error: conflicting types for ‘xt_in’
static inline struct net_device *xt_in(const struct xt_action_param *par) {
^
In file included from /opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:52:40: note: previous definition of ‘xt_in’ was here
static inline const struct net_device *xt_in(const struct xt_action_param *par)
^
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c: In function ‘xt_in’:
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:46:3: warning: return discards ‘const’ qualifier from pointer target type [enabled by default]
return par->in;
^
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c: At top level:
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:49:34: error: conflicting types for ‘xt_out’
static inline struct net_device *xt_out(const struct xt_action_param *par) {
^
In file included from /opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:62:40: note: previous definition of ‘xt_out’ was here
static inline const struct net_device *xt_out(const struct xt_action_param *par)
^
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c: In function ‘xt_out’:
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:50:3: warning: return discards ‘const’ qualifier from pointer target type [enabled by default]
return par->out;
^
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c: At top level:
/opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:53:28: error: redefinition of ‘xt_hooknum’
static inline unsigned int xt_hooknum(const struct xt_action_param *par) {
^
In file included from /opt/netfilter-full-cone-nat/xt_FULLCONENAT.c:23:0:
include/linux/netfilter/x_tables.h:72:28: note: previous definition of ‘xt_hooknum’ was here
static inline unsigned int xt_hooknum(const struct xt_action_param *par)
^
make[2]: *** [/opt/netfilter-full-cone-nat/xt_FULLCONENAT.o] Error 1
make[1]: *** [_module_/opt/netfilter-full-cone-nat] Error 2
make[1]: Leaving directory `/usr/src/kernels/3.10.0-1127.el7.x86_64′
make: *** [all] Error 2
这是我的报错,其他2个编译没问题。请问怎么解决呢
Linux vpc_asr3 3.10.0-1127.el7.x86_64 #1 SMP Tue Mar 31 23:36:51 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
我安装好了,但也只是从Symmetric NAT变成了Restricted Port Cone NAT,仍然没有到达Full Cone
证书到期了哟