开启Centos7.8的FullCone以更改WireGuard的NAT类型

浏览 3855 | 评论 2 | 字数 3355

卖女孩的小火柴 - 搬砖中

2020年10月21日

WireGuard的NAT类型依赖于宿主机的NAT，对于Linux来说，默认的就是对称NAT，这对我们打游戏来说并不友好，下文将解释如何增加内核模块以便开启FullCone

以下步骤均来自Centos7.8

总体思路来自: https://kotori.net/2020/01/08/%E7%AE%80%E5%8D%95%E6%93%8D%E4%BD%9C%E4%BD%BF-centos-%E6%94%AF%E6%8C%81-fullcone-nat/
增加少许依赖解决部分坑等

安装所需依赖

内核

WireGuard本身就对内核版本有较高的要求

这里直接上到最新内核

rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org
yum -y install epel-release
yum -y install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm
yum --enablerepo=elrepo-kernel install kernel-ml kernel-ml-headers kernel-ml-devel kernel-ml-tools kernel-ml-tools-libs
grub2-set-default 0
reboot

安装内核过程中可能会出现各种各样奇奇怪怪的冲突依赖等问题...
各位自行解决
之后使用 uname -a 查看是否已经更换新内核成功

编译工具

netfilter-full-cone-nat也对gcc等版本提出了要求，C7自带的古董gcc4.8.5是无法编译通过的，上gcc8

yum install gcc gcc-c++ autoconf autogen libmnl libmnl-devel libtool-devel libtool -y
yum install centos-release-scl -y
yum install devtoolset-8-gcc* -y
scl enable devtoolset-8 bash

更换Firewalld为iptables

这步做过的同学就不用再做了

systemctl disable firewalld
systemctl stop firewalld
yum -y install iptables-services
systemctl enable iptables
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
service iptables save
systemctl start iptables

下载源代码

cd /root/
git clone git://git.netfilter.org/libnftnl.git
git clone git://git.netfilter.org/iptables.git
git clone https://github.com/Chion82/netfilter-full-cone-nat.git

注意有没有报错

编译

编译libnftnl

yum install libmnl-devel -y
cd libnftnl
git checkout a71599dc0ae1a808e970e96850ea83d77f452994
sh autogen.sh
./configure
make
make install

要是还缺依赖就自行安装

编译netfilter-full-cone-nat

cd /root/netfilter-full-cone-nat
make
modprobe nf_nat
insmod xt_FULLCONENAT.ko

编译iptables 1.8.4

cp /root/netfilter-full-cone-nat/libipt_FULLCONENAT.c /root/iptables/extensions/
cd /root/iptables
git checkout 2b506c6681c7b01803f06b258a39e9da9012e5c5
ln -sfv /usr/sbin/xtables-multi /usr/bin/iptables-xml
./autogen.sh
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
export PKG_CONFIG_PATH
./configure
make
make install

要是还缺依赖就自行安装

更新iptables

#先关闭iptables
systemctl  stop iptables
#删除原来的iptables
rm -rf /sbin/iptables
rm -rf /sbin/iptables-restore
rm -rf /sbin/iptables-save
#复制你自己编译的iptables
cd /usr/local/sbin
cp /usr/local/sbin/iptables /sbin/     
cp /usr/local/sbin/iptables-restore /sbin/
cp /usr/local/sbin/iptables-save /sbin/
#检验iptables版本
iptables -V

设置开机自动加载Fullcone模块

kernel=`uname -r`
cp /root/netfilter-full-cone-nat/xt_FULLCONENAT.ko  /lib/modules/$kernel/
depmod
echo "modprobe xt_FULLCONENAT" > /etc/sysconfig/modules/xt_FULLCONENAT.modules
chmod 755 /etc/sysconfig/modules/xt_FULLCONENAT.modules
reboot

检查是否加载成功

lsmod | grep xt_FULLCONENAT

如果有输出类似于:

xt_FULLCONENAT         40960  2 
nf_nat                 45056  2 xt_FULLCONENAT,iptable_nat
nf_conntrack          155648  2 nf_nat,xt_FULLCONENAT

则成功

设置FullCone的iptables转发规则

iptables -t nat -A POSTROUTING -o eth0 -j FULLCONENAT #same as MASQUERADE  
iptables -t nat -A PREROUTING -i eth0 -j FULLCONENAT  #automatically restore NAT for inbound packets
service iptables save