nftables NAT rules generator in script

A fork from arloor/nftables-nat-rust, replacing rustlang with script languages.

本项目是 arloor/nftables-nat-rust 的衍生作品，用脚本语言代替了 rustlang。

The why 为什么选择本项目

Why PHP? Already installed and no need to hold a unchangeable binary.

为什么要这么做？我的服务器已经安装好了 PHP/Python，而且这种拼脚本的工作用一个不可修改的二进制程序来跑有点不称手。

Another reason is, we design a new rule format to support IPv4/IPv6 at the same time. The original project has not supported IPv6 yet.

另一个理由是，本项目使用的规则格式同时支持 IPv4/IPv6，原项目此时（2020/06/04）仍然只支持 IPv4.

Prerequisite 准备工作

Stop and disable firewalld (if have one):

如果有，关闭并禁用 firewalld:

systemctl stop firewalld
systemctl disable firewalld

Flush all the rules in iptables:

清空 iptables 中的所有规则:

iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

Disable iptables (if have one):

如果有，禁用 iptables:

/etc/init.d/iptables stop
chkconfig iptables off

Disable SELinux:

禁用 SELinux:

setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

Enable IPv4/IPv6 packet forwarding:

开启 IPv4/IPv6 网络包转发:

echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf

Enable loopback packet forwarding:

开启本地环回的包转发：

net.ipv4.conf.all.route_localnet = 1
net.ipv6.conf.all.route_localnet = 1

Install nftables on CentOS/RedHat:

安装 nftables:

yum install -y nftables

Or Debian/Ubuntu:

apt install -y nftables

Usage 用法

# write your rules
# 编写你自己的规则
vim nat.nft

# generate nat.nft file
# 生成 nat.nft 文件
php gen.php

# apply it
# 使其生效
./apply.sh

# another way to apply it (just showing off)
# 另一种生效方式（炫技而已）
chmod +x nat.nft
./nat.nft

Set up a scheduled job for every minute:

设置每分钟定时任务：

sudo crontab -e

Append the following line to it:

在其中追加下行：

* * * * * /path/to/apply.sh

Rule format 规则格式

One rule per line:

每行一条规则：

[4][6],[t][u],local-port,remote-port,remote-host

There are 3 possible types of remote-host: IP, domain or internal keyword.

这里的 remote-host 支持三种类型：IP、域名和内置关键字。

IPv4 as 127.0.0.1, while IPv6 as ::1.
domain as www.example.com.
keyword as 'local.

IPv4 形如 127.0.0.1；IPv6 形如 ::1。
域名形如 www.example.com。
关键字形如 'local。

Keywords are:

• 'local as host external IP(v4/v6) on default route

关键字有：

• 'local 是默认路由中的本机外网 IP(v4/v6)

For example:

例如：

46,tu,5353,53,8.8.8.8
46,t,8443,443,example.com
4,t,2222,22,'local

Known issues 已知问题

The way to get local ip is based on the default route in your host, therefore the Internet is necessary. It could be more flexible.

当前获取本地 IP 的方法是基于主机的默认路由，这就要求提供互联网接入。这本可以做得更灵活。

Don't bind two local port with a same remote, as this causes incorrect SNAT.

不要绑定两个本地端口到同一个远端，这会在 SNAT 时产生错误。