# nat-on-nft **Repository Path**: hsupu/nat-on-nft ## Basic Information - **Project Name**: nat-on-nft - **Description**: A nftables NAT rules generator in Python & PHP. - **Primary Language**: Unknown - **License**: WTFPL - **Default Branch**: master - **Homepage**: None - **GVP Project**: No ## Statistics - **Stars**: 1 - **Forks**: 0 - **Created**: 2020-06-04 - **Last Updated**: 2024-12-25 ## Categories & Tags **Categories**: Uncategorized **Tags**: None ## README # nftables NAT rules generator in script A fork from [arloor/nftables-nat-rust][1], replacing rustlang with script languages. 本项目是 [arloor/nftables-nat-rust][1] 的衍生作品,用脚本语言代替了 rustlang。 [1]: https://github.com/arloor/nftables-nat-rust/ ## The why 为什么选择本项目 Why PHP? Already installed and no need to hold a unchangeable binary. 为什么要这么做?我的服务器已经安装好了 PHP/Python,而且这种拼脚本的工作用一个不可修改的二进制程序来跑有点不称手。 Another reason is, we design a new rule format to support IPv4/IPv6 at the same time. The original project has not supported IPv6 yet. 另一个理由是,本项目使用的规则格式同时支持 IPv4/IPv6,原项目此时(2020/06/04)仍然只支持 IPv4. ## Prerequisite 准备工作 Stop and disable firewalld (if have one): 如果有,关闭并禁用 firewalld: ```bash systemctl stop firewalld systemctl disable firewalld ``` Flush all the rules in iptables: 清空 iptables 中的所有规则: ```bash iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT ``` Disable iptables (if have one): 如果有,禁用 iptables: ```bash /etc/init.d/iptables stop chkconfig iptables off ``` Disable SELinux: 禁用 SELinux: ```bash setenforce 0 sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config ``` Enable IPv4/IPv6 packet forwarding: 开启 IPv4/IPv6 网络包转发: ```bash echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf ``` Enable loopback packet forwarding: 开启本地环回的包转发: ```bash net.ipv4.conf.all.route_localnet = 1 net.ipv6.conf.all.route_localnet = 1 ``` Install nftables on CentOS/RedHat: 安装 nftables: ```bash yum install -y nftables ``` Or Debian/Ubuntu: ```bash apt install -y nftables ``` ## Usage 用法 ```bash # write your rules # 编写你自己的规则 vim nat.nft # generate nat.nft file # 生成 nat.nft 文件 php gen.php # apply it # 使其生效 ./apply.sh # another way to apply it (just showing off) # 另一种生效方式(炫技而已) chmod +x nat.nft ./nat.nft ``` Set up a scheduled job for every minute: 设置每分钟定时任务: ``` sudo crontab -e ``` Append the following line to it: 在其中追加下行: ``` * * * * * /path/to/apply.sh ``` ## Rule format 规则格式 One rule per line: 每行一条规则: ``` [4][6],[t][u],local-port,remote-port,remote-host ``` There are 3 possible types of `remote-host`: IP, domain or internal keyword. 这里的 `remote-host` 支持三种类型:IP、域名和内置关键字。 IPv4 as `127.0.0.1`, while IPv6 as `::1`. domain as `www.example.com`. keyword as `'local`. IPv4 形如 `127.0.0.1`;IPv6 形如 `::1`。 域名形如 `www.example.com`。 关键字形如 `'local`。 Keywords are: - `'local` as host external IP(v4/v6) on default route 关键字有: - `'local` 是默认路由中的本机外网 IP(v4/v6) For example: 例如: ``` 46,tu,5353,53,8.8.8.8 46,t,8443,443,example.com 4,t,2222,22,'local ``` ## Known issues 已知问题 The way to get local ip is based on the default route in your host, therefore the Internet is necessary. It could be more flexible. 当前获取本地 IP 的方法是基于主机的默认路由,这就要求提供互联网接入。这本可以做得更灵活。 Don't bind two local port with a same remote, as this causes incorrect SNAT. 不要绑定两个本地端口到同一个远端,这会在 SNAT 时产生错误。