卖女孩的小火柴的博客

开启Centos7.8的FullCone以更改WireGuard的NAT类型

WireGuard的NAT类型依赖于宿主机的NAT,对于Linux来说,默认的就是对称NAT,这对我们打游戏来说并不友好,下文将解释如何增加内核模块以便开启FullCone

以下步骤均来自Centos7.8

总体思路来自: https://kotori.net/2020/01/08/%E7%AE%80%E5%8D%95%E6%93%8D%E4%BD%9C%E4%BD%BF-centos-%E6%94%AF%E6%8C%81-fullcone-nat/
增加少许依赖解决部分坑等

安装所需依赖

内核

编译工具

netfilter-full-cone-nat也对gcc等版本提出了要求,C7自带的古董gcc4.8.5是无法编译通过的,上gcc8

yum install gcc gcc-c++ autoconf autogen libmnl libmnl-devel libtool-devel libtool -y
yum install centos-release-scl -y
yum install devtoolset-8-gcc* -y
scl enable devtoolset-8 bash

更换Firewalld为iptables

这步做过的同学就不用再做了

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl enable iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
service iptables save
systemctl start iptables

下载源代码

cd /root/
git clone git://git.netfilter.org/libnftnl.git
git clone git://git.netfilter.org/iptables.git
git clone https://github.com/Chion82/netfilter-full-cone-nat.git

注意有没有报错

编译

编译libnftnl

yum install libmnl-devel -y
cd libnftnl
git checkout a71599dc0ae1a808e970e96850ea83d77f452994
sh autogen.sh
./configure
make
make install

要是还缺依赖就自行安装

编译netfilter-full-cone-nat

cd /root/netfilter-full-cone-nat
make
modprobe nf_nat
insmod xt_FULLCONENAT.ko

编译iptables 1.8.4

cp /root/netfilter-full-cone-nat/libipt_FULLCONENAT.c /root/iptables/extensions/
cd /root/iptables
git checkout 2b506c6681c7b01803f06b258a39e9da9012e5c5
ln -sfv /usr/sbin/xtables-multi /usr/bin/iptables-xml
./autogen.sh
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
export PKG_CONFIG_PATH
./configure
make
make install

要是还缺依赖就自行安装

更新iptables

#先关闭iptables
systemctl  stop iptables
#删除原来的iptables
rm -rf /sbin/iptables
rm -rf /sbin/iptables-restore
rm -rf /sbin/iptables-save
#复制你自己编译的iptables
cd /usr/local/sbin
cp /usr/local/sbin/iptables /sbin/     
cp /usr/local/sbin/iptables-restore /sbin/
cp /usr/local/sbin/iptables-save /sbin/
#检验iptables版本
iptables -V

设置开机自动加载Fullcone模块

kernel=`uname -r`
cp /root/netfilter-full-cone-nat/xt_FULLCONENAT.ko  /lib/modules/$kernel/
depmod
echo "modprobe xt_FULLCONENAT" > /etc/sysconfig/modules/xt_FULLCONENAT.modules
chmod 755 /etc/sysconfig/modules/xt_FULLCONENAT.modules
reboot

检查是否加载成功

lsmod | grep xt_FULLCONENAT

如果有输出类似于:

xt_FULLCONENAT         40960  2 
nf_nat                 45056  2 xt_FULLCONENAT,iptable_nat
nf_conntrack          155648  2 nf_nat,xt_FULLCONENAT

则成功

设置FullCone的iptables转发规则

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE  
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT  #automatically restore NAT for inbound packets
service iptables save

Enjoy

连接上检查NAT类型

当前页面是本站的「Google AMP」版。查看、发表评论或购买附件请点击:完整版 »