Skip to content
This repository has been archived by the owner on Jan 22, 2021. It is now read-only.

1. Build FULLCONENAT for Linux

Jump to bottom
quintus edited this page Jan 16, 2021 · 1 revision

This is set up instructions on How to build netfilter-full-cone-nat for Armbian or Ubuntu.

Tested on Armbian 21.02.0-trunk.63 Focal with Linux 5.10.7-rockchip64. Kernel used: 5.10.7.

  1. You might need to apt install build-essential libtool, before starting.
# apt install build-essential autoconf libtool bison flex libnftnl-dev libmnl-dev -y
  1. Confirm the kernel configuration option CONFIG_NF_CONNTRACK_EVENTS is enabled (If this option is disabled on your system, enable it and rebuild your netfilter modules):
# cat /boot/config-`uname -r` | grep CONFIG_NF_CONNTRACK_EVENTS
CONFIG_NF_CONNTRACK_EVENTS=y
  1. install kernel headers by armbian-config:
armbian-config: Software -> Headers_install

# ls /usr/src/
linux-headers-5.10.7-rockchip64
  1. mod modules.lds for FULLCONENAT compile (if kernel< 5.10, don't that!)
# cd /usr/src/linux-headers-5.10.7-rockchip64/scripts
# cp module.lds.S module.lds
# sed -i '$ d' ./module.lds‘ 
# echo '
SECTIONS {
 	.plt (NOLOAD) : { BYTE(0) }
 	.init.plt (NOLOAD) : { BYTE(0) }
 	.text.ftrace_trampoline (NOLOAD) : { BYTE(0) }
}
' >> ./module.lds
#
  1. Download and compile netfilter-full-cone-nat kernel module
# cd
# git clone https://github.com/Chion82/netfilter-full-cone-nat.git
# cd netfilter-full-cone-nat/
# make
  1. Check that module works properly (run modprobe nf_nat first):
# modprobe nf_nat
# insmod xt_FULLCONENAT.ko
# lsmod | grep xt_FULLCONENAT
xt_FULLCONENAT         36864  0

# cp xt_FULLCONENAT.ko /lib/modules/`uname -r`/kernel/net/netfilter/
# echo 'kernel/net/netfilter/xt_FULLCONENAT.ko:' >> /lib/modules/`uname -r`/modules.dep
# depmod

# echo '
nf_nat
xt_FULLCONENAT
' >> /etc/modules-load.d/modules.conf
#
  1. reboot the system, then check that module is started
# lsmod | grep xt_FULLCONENAT
xt_FULLCONENAT         36864  0
  1. Install libmnl:
# cd
# git clone git://git.netfilter.org/libmnl
# cd libmnl
# ./autogen.sh
# ./configure
# make
# make install
  1. Install libnftnl:
# cd
# git clone git://git.netfilter.org/libnftnl.git
# cd libnftnl
# ./autogen.sh
# ./configure
# make
# make install
  1. Install iptables v1.6.0 modules:
# cd
# git clone -b v1.6.0 --single-branch git://git.netfilter.org/iptables.git
# cp netfilter-full-cone-nat/libipt_FULLCONENAT.c iptables/extensions/
# cd iptables
# ./autogen.sh
# ./configure
# make
# make install
  1. Apply FULLCONENAT iptables rules on ethernet interface testing, then verify rules are applied:
# iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT
# iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT


# iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
FULLCONENAT  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
FULLCONENAT  all  --  anywhere             anywhere
Clone this wiki locally