最近在工作中测试环境里遇到IPv6访问IPv4的需求场景,加上刚好没有防火墙可以实现Nat64的需求,索性自己在centos7上使用开源的jool软件搭建一个NAT64服务器
我在安装过程中参考的网上的安装步骤和方法
Git上的jool安装方法:https://github.com/leblancd/kube-v6/blob/master/NAT64-DNS64-CENTOS7-INSTALL.md
Jool官网提供的安装步骤:https://www.jool.mx/en/install.html
Jool的Git项目位置:https://github.com/NICMx/jool
安装CentOS操作系统
不做赘述了,我使用的是CentOS7.5(1804),安装方式是Server with GUI,分区使用的是CentOS自动分区
关闭selinux和防火墙
vim /etc/selinux/config
将 SELINUX=enforcing 修改为 SELINUX=disabled
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
# SELINUX=enforcing
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
systemctl disable firewall
重启CentOS服务器
安装开发环境
这一步里面有个安装kenel-devel,这个kenel-devel一定不要用公网上的源安装,公网上的kernel版本一般比安装的Centos自带的kernel版本要高,通过公网安装的kenel-devel的内核版本是和本机的内核不一致的,后面会导致dmks安装jool的时候报错,建议这一步使用centos的iso镜像作为源安装开发环境
cd /etc/yum.repos.d/
ll
-rw-r--r--. 1 root root 1664 Apr 29 2018 CentOS-Base.repo
-rw-r--r--. 1 root root 1309 Apr 29 2018 CentOS-CR.repo
-rw-r--r--. 1 root root 649 Apr 29 2018 CentOS-Debuginfo.repo
-rw-r--r--. 1 root root 314 Apr 29 2018 CentOS-fasttrack.repo
-rw-r--r-- 1 root root 657 Aug 20 23:34 CentOS-Media.repo
-rw-r--r--. 1 root root 1331 Apr 29 2018 CentOS-Sources.repo
-rw-r--r--. 1 root root 4768 Apr 29 2018 CentOS-Vault.repo
将上面列出的repo文件中,除了CentOS-Media.repo其他全部改名
mv CentOS-Base.repo CentOS-Base.repo.bak
mv CentOS-CR.repo CentOS-CR.repo.bak
mv CentOS-Debuginfo.repo CentOS-Debuginfo.repo.bak
mv CentOS-fasttrack.repo CentOS-fasttrack.repo.bak
mv CentOS-Sources.repo CentOS-Sources.repo.bak
mv CentOS-Vault.repo CentOS-Vault.repo.bak
将iso镜像挂载到/media/cdrom目录下
yum repolist all
Loading mirror speeds from cached hostfile
repo id repo name status
c7-media CentOS-7 - Media disabled
将c7-media的状态由disable修改为enable
yum-config-manager --enable c7-media
Loading mirror speeds from cached hostfile
repo id repo name status
c7-media CentOS-7 - Media enabled: 3,971
安装开发环境
yum clean all
yum repolist all
yum groupinstall -y "Development Tools"
yum install -y pkgconfig
yum install -y iptables-devel
yum install kernel-devel
yum install kernel-headers
检查目录
[root@localhost yum.repos.d]# ll /lib/modules/3.10.0-862.el7.x86_64/
total 3212
lrwxrwxrwx. 1 root root 38 Aug 20 14:52 build -> /usr/src/kernels/3.10.0-862.el7.x86_64
drwxr-xr-x. 3 root root 99 Aug 20 23:47 extra
drwxr-xr-x. 12 root root 128 Aug 20 14:52 kernel
-rw-r--r-- 1 root root 820164 Aug 20 23:48 modules.alias
-rw-r--r-- 1 root root 784670 Aug 20 23:48 modules.alias.bin
-rw-r--r--. 1 root root 1346 Apr 21 2018 modules.block
-rw-r--r--. 1 root root 7091 Apr 21 2018 modules.builtin
-rw-r--r-- 1 root root 8965 Aug 20 23:48 modules.builtin.bin
-rw-r--r-- 1 root root 280744 Aug 20 23:48 modules.dep
-rw-r--r-- 1 root root 387639 Aug 20 23:48 modules.dep.bin
-rw-r--r-- 1 root root 361 Aug 20 23:48 modules.devname
-rw-r--r--. 1 root root 132 Apr 21 2018 modules.drm
-rw-r--r--. 1 root root 82 Apr 21 2018 modules.modesetting
-rw-r--r--. 1 root root 1746 Apr 21 2018 modules.networking
-rw-r--r--. 1 root root 95355 Apr 21 2018 modules.order
-rw-r--r-- 1 root root 490 Aug 20 23:48 modules.softdep
-rw-r--r-- 1 root root 385449 Aug 20 23:48 modules.symbols
-rw-r--r-- 1 root root 473998 Aug 20 23:48 modules.symbols.bin
lrwxrwxrwx. 1 root root 5 Aug 20 14:52 source -> build
drwxr-xr-x. 2 root root 6 Apr 21 2018 updates
drwxr-xr-x. 2 root root 95 Aug 20 14:52 vdso
drwxr-xr-x. 2 root root 6 Apr 21 2018 weak-updates
[root@localhost yum.repos.d]# ll /usr/src/kernels/3.10.0-862.el7.x86_64
total 4492
drwxr-xr-x 32 root root 4096 Aug 20 23:36 arch
drwxr-xr-x 3 root root 78 Aug 20 23:36 block
drwxr-xr-x 4 root root 76 Aug 20 23:36 crypto
drwxr-xr-x 119 root root 4096 Aug 20 23:36 drivers
drwxr-xr-x 2 root root 22 Aug 20 23:36 firmware
drwxr-xr-x 75 root root 4096 Aug 20 23:36 fs
drwxr-xr-x 28 root root 4096 Aug 20 23:36 include
drwxr-xr-x 2 root root 37 Aug 20 23:36 init
drwxr-xr-x 2 root root 22 Aug 20 23:36 ipc
-rw-r--r-- 1 root root 505 Apr 21 2018 Kconfig
drwxr-xr-x 12 root root 236 Aug 20 23:36 kernel
drwxr-xr-x 10 root root 219 Aug 20 23:36 lib
-rw-r--r-- 1 root root 51197 Apr 21 2018 Makefile
-rw-r--r-- 1 root root 2305 Apr 21 2018 Makefile.qlock
drwxr-xr-x 2 root root 58 Aug 20 23:36 mm
-rw-r--r-- 1 root root 1093137 Apr 21 2018 Module.symvers
drwxr-xr-x 60 root root 4096 Aug 20 23:36 net
drwxr-xr-x 14 root root 220 Aug 20 23:36 samples
drwxr-xr-x 13 root root 4096 Aug 20 23:36 scripts
drwxr-xr-x 9 root root 136 Aug 20 23:36 security
drwxr-xr-x 24 root root 301 Aug 20 23:36 sound
-rw-r--r-- 1 root root 3409143 Apr 21 2018 System.map
drwxr-xr-x 17 root root 221 Aug 20 23:36 tools
drwxr-xr-x 2 root root 37 Aug 20 23:36 usr
drwxr-xr-x 4 root root 44 Aug 20 23:36 virt
-rw-r--r-- 1 root root 41 Apr 21 2018 vmlinux.id
将yum.repo.d目录下的repo文件恢复
mv CentOS-Base.repo.bak CentOS-Base.repo
mv CentOS-CR.repo.bak CentOS-CR.repo
mv CentOS-Debuginfo.repo.bak CentOS-Debuginfo.repo
mv CentOS-fasttrack.repo.bak CentOS-fasttrack.repo
mv CentOS-Sources.repo.bak CentOS-Sources.repo
mv CentOS-Vault.repo.bak CentOS-Vault.repo
安装其他工具
安装epel源
yum install -y epel-release
安装dkms
yum install -y dkms
安装pkgconfig
yum install -y pkgconfig
安装libnl3,如果不安装,后面在configure时会报错“No package ‘libnl-genl-3.0’ found”
yum install -y libnl3-devel
安装iptables-devel,如果不安装,后面在configure时会报错“No package ‘xtables’ found”
yum install -y iptables-devel
从Git下载jool最新版本
从Git下载jool最新版本
git clone https://github.com/NICMx/Jool.git
安装jool
dkms install Jool/
cd Jool/
./autogen.sh
./configure
make
make install
加载jool模块
/sbin/modprobe jool
lsmod |grep jool
jool 179931 0
nf_defrag_ipv6 35104 1 jool
nf_defrag_ipv4 12729 2 jool,nf_conntrack_ipv4
关闭系统自带的防火墙,并安装iptables
systemctl stop firewalld
systemctl diable firewalld
yum install -y iptables-services
systemctl start iptables
systemctl start ip6tables
systemctl enable iptables
systemctl enable ip6tables
配置IPv6地址池和转发规则
配置IPv6地址池,将fec0:1::/96网段的地址NAT成ipv4地址
jool instance add "NAT64" --iptables --pool6 fec0:1::/96
配置iptables转发规则,注意IPv6地址池的地址不应该和server的IPv6地址在一个段内,否则流量不会进入PREROUTING链
规则里的10.206.254.4就是服务器本机的IP地址,NAT64服务器访问IPv4的地址就是通过10.206.254.4这个地址出去访问的
ip6tables -t mangle -A PREROUTING -s fec0:1::1 -j ACCEPT
ip6tables -t mangle -A PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
如果需要停用nat64
ip6tables -t mangle -D PREROUTING -s fec0:1::1 -j ACCEPT
ip6tables -t mangle -D PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
iptables -t mangle -D PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
jool instance remove "NAT64"
/sbin/modprobe -r jool
配置jool模块开机加载
vim /etc/sysconfig/modules/jool.modules
#!/bin/bash
/sbin/modinfo -F filename jool > /dev/null 2>&1
if [ $? -eq 0 ]; then
/sbin/modprobe jool
fi
配置NAT64规则开机加载
vim /etc/rc.local
/usr/local/bin/jool instance add "NAT64" --iptables --pool6 fec0:1::/96
/usr/sbin/ip6tables -t mangle -A PREROUTING -s fec0:1::1 -j ACCEPT
/usr/sbin/ip6tables -t mangle -A PREROUTING -d fec0:1::/96 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p tcp --dport 61001:65535 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p udp --dport 61001:65535 -j JOOL --instance "NAT64"
/usr/sbin/iptables -t mangle -A PREROUTING -d 10.206.254.4 -p icmp -j JOOL --instance "NAT64"
Ping检查IPv6是否正常
ping6 fec0:1::7272:7272(114.114.114.114增加fec0:1::前缀的IPv6地址)
PING fec0:1::7272:7272(fec0:1::7272:7272) 56 data bytes
64 bytes from fec0:1::7272:7272: icmp_seq=1 ttl=83 time=311 ms
64 bytes from fec0:1::7272:7272: icmp_seq=2 ttl=68 time=358 ms
64 bytes from fec0:1::7272:7272: icmp_seq=3 ttl=64 time=238 ms
64 bytes from fec0:1::7272:7272: icmp_seq=4 ttl=62 time=201 ms
64 bytes from fec0:1::7272:7272: icmp_seq=5 ttl=91 time=359 ms
64 bytes from fec0:1::7272:7272: icmp_seq=6 ttl=83 time=422 ms
64 bytes from fec0:1::7272:7272: icmp_seq=7 ttl=81 time=292 ms
Tips:
做完上面的配置之后Server本身ping IPv4的地址会不通,但是可以正常上网,貌似就只有ping有问题,目前暂未找到解决办法
配置DNS64
安装bind服务
yum -y install bind
编辑named服务配置文件
vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
// 监听IPv4任意地址的53号端口的请求,如果是业务服务器,请将any修改为本机的IPv4地址
listen-on port 53 { any; };
// 监听IPv6任意地址的53号端口的请求,如果是业务服务器,请将any修改为本机的IPv6地址
listen-on-v6 port 53 { any; };
// 将解析出的IPv4地址转换成fec0:1开头的IPv6地址,例如,解析出的IPv4地址是114.114.114.114,那么返回的地址应该是fec0:1::7272:7272
dns64 fec0:1::/96 {
clients { any; };
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
// 非本地域名的解析请求转发到公网DNS服务器
forward only;
forwarders { 114.114.114.114; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
// 将DNS安全设置关闭,否则局域网内的DNS会被认为是非法DNS而无法将请求转发到公网DNS上
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
检查配置文件语法格式
named-checkconf
启动服务,并设置开机启动
systemctl start named
systemctl enable named
修改自定义域配置,在文件的最后增加内部的域名文件解析配置
vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { none; };
};
创建域配置文件
vim /var/named/test.com.zone
$TTL 1D
@ IN SOA @ test.com.(
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS @
IN A 127.0.0.1
route IN AAAA fec0:1::1
nat64 IN AAAA fec0:1::1
web IN A 172.31.9.160
web IN AAAA fec0:1::160
ftp IN AAAA fec0:1::160
mail IN AAAA fec0:1::64
sqlserv IN AAAA fec0:1::66
ad IN AAAA fec0:1::64
oracle IN AAAA fec0:1::63
mysql IN AAAA fec0:1::61
radius IN AAAA fec0:1::64
# 所有的域名映射都将在此定义,若需增加子域名则在配置文件追加行即可
# A IPv4域名映射
# AAAA IPv6域名映射
使用dig验证解析是否准确
dig route.test.com @127.0.0.1 AAAA
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> route.test.com @127.0.0.1 AAAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21750
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;route.test.com. IN AAAA
;; ANSWER SECTION:
route.test.com. 86400 IN AAAA fec0:1::1
;; AUTHORITY SECTION:
test.com. 86400 IN NS test.com.
;; ADDITIONAL SECTION:
test.com. 86400 IN A 127.0.0.1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug 28 00:38:07 CST 2019
;; MSG SIZE rcvd: 113
使用nslookup检查解析是否正确
nslookup -q=aaaa route.test.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
route.test.com has AAAA address fec0:1::1
至此NAT64服务器搭建完毕,后续就可以通过该服务器使用IPv6地址访问IPv4的网络了
4608
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
