文章目录
方案一:socat 单端口|单协议 转发
## 第一:找一个有双栈的vps,部署socat
apt install socat
## 第二:配置转发
# 配置TCP 单向转发(v6>v4)(将ipv6 80 端口上收到的数据 转发到 156.232.99.41:80)
socat TCP6-LISTEN:80,reuseaddr,fork TCP4:156.232.99.41:80
# 配置UDP 单向转发(v6>v4)
socat UDP4-RECVFROM:53,fork UDP6-SENDTO:[2001:db8::home]:53
# 配置TCP 单向转发(v4>v6)
socat TCP4-LISTEN:80,fork,reuseaddr "TCP6:[2001:db8::1234]:80"
## client 是 ipv6 only host ,仅需要访问 vps的v6地址的80,就能访问到 156.232.99.41:80
./tcping [2408:4006:1132:562e:56d:8cfd] 80
方案二:使用公共dns64 + nat64 转发服务器
## ipv6 only host 仅需要把dns改成 下面的DNS64地址即可
[root@LT-He-IPv6-70 ~]# cat /etc/resolv.conf
nameserver 2a00:1098:2b::1
nameserver 2a01:4f9:c010:3f02::1
nameserver 2a01:4f8:c2c:123f::1
nameserver 2a00:1098:2c::1
## 方案缺点是,不能直接访问ipv4的地址,只能通过域名来访问(dns64会将得到的A记录合并成AAAA记录,并通过NAT64服务器转发出去)
提供商 | DNS64 地址 | NAT64 前缀 | 位置 |
---|---|---|---|
nat64.net | 2a00:1098:2c::1 | 3 个前缀 | 阿姆斯特丹 |
nat64.net | 2a01:4ff:f0:9876::1 | 3 个前缀 | 阿什本 |
nat64.net | 2a01:4f9:c010:3f02::1 | 3 个前缀 | 赫尔辛基 |
nat64.net | 2a00:1098:2c::1 | 3 个前缀 | 伦敦 |
nat64.net | 2a01:4f8:c2c:123f::1 | 3 个前缀 | 纽伦堡 |
IPng | 2a02:898:146:64::64 | 1 个前缀 | 阿姆斯特丹 |
Trex | 2001:67c:2b0::4 | 1 个前缀 | 坦佩雷 |
Trex | 2001:67c:2b0::6 | 1 个前缀 | 坦佩雷 |
level66 | 2001:67c:2960::64 | 1 个前缀 | 德国 |
level66 | 2001:67c:2960::6464 | 1 个前缀 | 德国 |
Kasper Dupont | 2a00:1098:2b::1 | 2a00:1098:2b::/96 | 德国/纽伦堡 |
Kasper Dupont | 2a00:1098:2c::1 | 2a00:1098:2c:1::/96 | 英国/伦敦 |
Kasper Dupont | 2a01:4f8:c2c:123f::1 | 2a01:4f8:c2c:123f:64::/96 | 英国/伦敦 |
Kasper Dupont | 2a01:4f9:c010:3f02::1 | 2a01:4f9:c010:3f02:64::/96 | 芬兰/赫尔辛基 |
方案三、自建dns64 和 nat64 服务器
该方案的工作逻辑和局限性
实施过程
## 前提条件:
1、你必须有 至少/96的公网可路由的ipv6地址段儿(不要用 64:ff9b::/96 这是用在本段局域网的不可路由地址)
2、你的ipv6 提供的53端口 不要有阻隔(意思是 不要是大陆的ipv6,因为大陆地区对53端口的开放使用是有要求的)
3、我的ipv6地址段儿是 He提供的隧道ipv6(参考此文 https://boke.wsfnk.com/archives/26.html)
## jool 官方参考文章
https://es.wikipedia.org/wiki/NAT64
https://nicmx.github.io/Jool/en/run-nat64.html
https://www.taterli.com/8290
https://blog.lingxh.com/post/464xlat/
https://blog.d2okkk.net/202502/ipv6-mostly/
https://openwrt.org/docs/guide-user/network/ipv6/nat64
NAT64 部署测试
https://forum.netgate.com/topic/158084/how-to-setup-nat64-using-pfsense-with-jool
## He-ipv6 配置
modprobe ipv6
ip tunnel add he-ipv6 mode sit remote 216.218.221.42 local 10.3.0.4 ttl 255
ip link set he-ipv6 up
ip addr add 2001:470:35:472::2/64 dev he-ipv6
ip route add ::/0 dev he-ipv6
ip -f inet6 addr
root@DNS64-NAT64-SG:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 52:54:00:a6:22:e7 brd ff:ff:ff:ff:ff:ff
altname enp0s5
altname ens5
inet 10.3.0.4/22 brd 10.3.3.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fea6:22e7/64 scope link
valid_lft forever preferred_lft forever
3: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/sit 0.0.0.0 brd 0.0.0.0
4: he-ipv6@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000
link/sit 10.3.0.4 peer 216.218.221.42
inet6 2001:470:35:472::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::a03:4/64 scope link
valid_lft forever preferred_lft forever
## 1、部署dns64(选择debian系列,便于后期装jool)
apt install -y unbound
cat > /etc/unbound/unbound.conf.d/dns64.conf <<EOF
server:
verbosity: 2
pidfile: "/var/run/unbound.pid"
use-syslog: yes
module-config: "dns64 iterator"
dns64-prefix: 2001:470:36:472::/96
#dns64-synthall: no # 为no 表示仅为 私有ipv4地址合成ipv6地址
dns64-synthall: no
interface: ::0
port: 53
access-control: ::0/0 allow
forward-zone:
name: "."
forward-addr: 223.5.5.5
EOF
# 测试dns64是否生效
dig aaaa ipv4only.arpa @::1
## 2、部署jool,配置内核转发,设置nat资源的端口范围(排除你要用的端口 比如ssh端口,否则你连不上的)
apt install -y build-essential pkg-config \
linux-headers-$(uname -r) \
libnl-genl-3-dev libxtables-dev dkms
# build-essential、pkg-config:提供编译工具链和宏检测
# linux-headers-$(uname -r):确保 DKMS 模块能编译通过
# libnl-genl-3-dev、libxtables-dev:用于构建用户态工具与 Netfilter 插件
apt install -y jool-dkms jool-tools
apt install -y iptables # (可以不装)
# jool-dkms:内核模块,借助 DKMS 自动重建与升级
# jool-tools:用户态管理工具,提供 jool 或 jool instance 等命令
echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
echo "net.ipv6.conf.all.forwarding=1" >> /etc/sysctl.conf
sysctl -p
## 3、配置jool(这里采用netfilter模式,也可以选择iptables模式)
# Tips1、文件内容,part range是动态分配的转换资源的端口,不要把你的ssh 远程端口放进去,
# Tips2:icmp 不需要端口资源,
# Tips3:prefix 填你云服务器的内网ipv4
mkdir /etc/jool/
vi /etc/jool/jool.conf
{
"comment": "Configuration for the systemd NAT64 Jool service.",
"instance": "nat64",
"framework": "netfilter",
"global": {
"comment": "Pool6 prefix",
"pool6": "2001:470:36:472::/96"
},
"comment": "Pool4 table",
"pool4": [
{
"protocol": "TCP",
"prefix": "10.3.0.4",
"port range": "10000-65530"
}, {
"protocol": "UDP",
"prefix": "10.3.0.4",
"port range": "10000-65530"
}, {
"protocol": "ICMP",
"prefix": "10.3.0.4"
}
]
}
# 启动服务
systemctl start jool
systemctl enable jool
## 4、ipv6 only host 如何使用该nat服务
cat > /etc/resolv.conf <<EOF
nameserver 2001:470:35:472::2
EOF
ping6 ipv4only.arpa
curl -6 -v http://atstm.cc/ip
## 附、jool 配置也可以这样(未设置nat端口池范围,可能把自己ssh搞断连哦,你要是非表ssh端口的话)
{
"comment": "Configuration for the systemd NAT64 Jool service.",
"instance": "nat64",
"framework": "netfilter",
"global": {
"comment": "Pool6 prefix",
"pool6": "2001:470:36:472::/96"
},
}
附、调试jool方法
## 加载模块(nat64 只需要用到 jool,用不到 jool_siit)
modprobe jool
modprobe jool_siit # 用不到,暂时可以不加
## 添加转发实例
jool instance add "nat64" --netfilter --pool6 2001:470:19:10a3::/96
# ipv4写v4网络的网卡ip,若是vps主机,机器是内网就写内网,公网ip就写公网(Tips:icmp 可以不写端口、不要保护你的非标的ssh端口)
jool -i nat64 pool4 add 192.168.70.3 10000-65530 --tcp
jool -i nat64 pool4 add 192.168.70.3 10000-65530 --udp
jool -i nat64 pool4 add 192.168.70.3 10000-65530 --icmp
## 验证池内容
jool instance display
jool -i "nat64" global display
jool -i "nat64" stats display
jool -i "nat64" pool4 display -t
jool -i "nat64" pool4 display -u
jool -i "nat64" pool4 display -i
附、dns64 用 bind 实现
## 配置 BIND9 DNS64
apt install bind9 bind9utils bind9-dnsutils -y
cat > /etc/bind/named.conf.options << EOF
acl "rfc1918" {
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
};
options {
directory "/var/cache/bind";
dns64 2001:470:19:10a3::/96 {
clients { any; };
mapped { !rfc1918; any; };
exclude { 127.0.0.0/8; ::1/128; };
};
recursion yes;
allow-query { any; };
listen-on-v6 { any; };
listen-on { any; };
forwarders {
8.8.8.8;
1.1.1.1;
};
dnssec-validation auto;
};
EOF
##检查语法
named-checkconf
## 启动
systemctl restart bind9
systemctl enable named
如果文章对你有帮助,欢迎点击上方按钮打赏作者
暂无评论