由于Linux默认的NAT是Symmetric NAT,对于臭打游戏的我是完全不能接受的事情,由于不是所有游戏都能走代理,所以在三层做一下Full Cone NAT是不错的选择。本文以Debian 11为例,简要概述下过程。
环境准备
首先安装依赖
apt -y install cmake gcc g++ make libncurses5-dev libssl-dev libsodium-dev libreadline-dev zlib1g-dev git libmnl-dev libnftnl-dev linux-headers-amd64
编译模块
git clone https://github.com/llccd/netfilter-full-cone-nat/ cd ~/netfilter-full-cone-nat make modprobe nf_nat insmod xt_FULLCONENAT.ko
编译IPTables
git clone git://git.netfilter.org/iptables.git cp ~/netfilter-full-cone-nat/libipt_FULLCONENAT.c ~/iptables/extensions/ cp ~/netfilter-full-cone-nat/libip6t_FULLCONENAT.c ~/iptables/extensions/ cd ~/iptables ln -sfv /usr/sbin/xtables-multi /usr/bin/iptables-xml PKG_CONFIG_PATH=/usr/local/lib/pkgconfig export PKG_CONFIG_PATH ./configure make make install
部署模块
cp ~/netfilter-full-cone-nat/xt_FULLCONENAT.ko /lib/modules/$(uname -r)/ depmod echo "modprobe xt_FULLCONENAT" >> /etc/modules-load.d/fullconenat.conf
验证
输入lsmod | grep xt_FULLCONENAT有类似以下输出即可
root@cola:~# lsmod | grep xt_FULLCONENAT xt_FULLCONENAT 40960 0 nf_nat 53248 1 xt_FULLCONENAT nf_conntrack 176128 2 nf_nat,xt_FULLCONENAT x_tables 53248 2 xt_FULLCONENAT,ip_tables
使用
iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets ip6tables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE ip6tables -t nat -A PREROUTING -i eth0 -j FULLCONENAT #automatically restore NAT for inbound packets
副作用
哎,什么时候有内核级支持啊,每次升级内核记得重新编译,并部署内核
cd ~/netfilter-full-cone-nat make cp ~/netfilter-full-cone-nat/xt_FULLCONENAT.ko /lib/modules/$(uname -r)/ modprobe xt_FULLCONENAT
[网络]给Debian11开启Full Cone NAT支持
One thought on “[网络]给Debian11开启Full Cone NAT支持”