testing已启用且已启用IPv6的networking名称空间时出错（几乎完成）

我一直在使用一个名为Torjail（ https://torjail.github.io/ ）的脚本，其中一位作者发表了一个关于它工作模式的解释草稿： https ：//superuser.com/questions/1068518/how-to -create-A-TOR-仅networking接口-合适换firejail / 1231279＃1231279

但是我希望IPv6支持，因为内核3.7+在netfilter6上实现了NAT，所以我试图创build一个修改版本。

为了testing目的，我修改了原来的草案：

# create a new network namespace named NETNS ip netns add NETNS # create two virtual ethernet interface ip link add OUTSIDE type veth peer name INSIDE # bind one interface to NETNS network namespace ip link set INSIDE netns NETNS # set interfaces ip and default routing ip addr add 10.0.0.1/24 dev OUTSIDE ip -6 addr add fd00:a630:9821:af3b::1/64 dev OUTSIDE ip link set OUTSIDE up ip -6 link set OUTSIDE up ip netns exec NETNS ip addr add 10.0.0.2/24 dev INSIDE ip -6 netns exec NETNS ip -6 addr add fd00:a630:9821:af3b::2/64 dev INSIDE ip netns exec NETNS ip link set INSIDE up ip -6 netns exec NETNS ip -6 link set INSIDE up ip netns exec NETNS ip route add default via 10.0.0.1 ip -6 netns exec NETNS ip -6 route add fd00::/64 dev INSIDE ip -6 netns exec NETNS ip -6 route add default via fd00:a630:9821:af3b::1 # forward all dns traffic to tor DNSPort iptables -t nat -A PREROUTING -i OUTSIDE -p udp -d 10.0.0.1 --dport 53 -j DNAT --to-destination 10.0.0.1:5353 ip6tables -t nat -A PREROUTING -i OUTSIDE -p udp -d fd00:a630:9821:af3b::1 --dport 53 -j DNAT --to-destination fd00:a630:9821:af3b::1:5354 # forward all traffic to tor TransPort iptables -t nat -A PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination 10.0.0.1:9040 ip6tables -t nat -A PREROUTING -i OUTSIDE -p tcp --syn -j DNAT --to-destination fd00:a630:9821:af3b::1:5354:9041 # accept established connection iptables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT ip6tables -A OUTPUT -m state -o OUTSIDE --state ESTABLISHED,RELATED -j ACCEPT # accept only forwarded traffic iptables -A INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 5353 -j ACCEPT ip6tables -A INPUT -i OUTSIDE -p udp --destination fd00:a630:9821:af3b::1 --dport 5354 -j ACCEPT iptables -A INPUT -i OUTSIDE -p tcp --destination 10.0.0.1 --dport 9040 -j ACCEPT ip6tables -A INPUT -i OUTSIDE -p tcp --destination fd00:a630:9821:af3b::1 --dport 9041 -j ACCEPT iptables -A INPUT -i OUTSIDE -p udp --destination 10.0.0.1 --dport 9040 -j ACCEPT ip6tables -A INPUT -i OUTSIDE -p udp --destination fd00:a630:9821:af3b::1 --dport 9041 -j ACCEPT iptables -A INPUT -i OUTSIDE -j DROP 

我使用这个torconfiguration：

• 如何模拟对称NAT的属性？
• 远程访问networking服务器（包含tcpdump）
• 将传入的udpstream复制到（非本地）远程服务器
• Linux源策略路由
• docker伪装不会一直工作

AutomapHostsOnResolve 1 TransPort 10.0.0.1:9040 DNSPort 10.0.0.1:9053 TransPort [fd00：a630：9821：af3b :: 1]：9041 DNSPort [fd00：a630：9821：af3b :: 1]：9054 SOCKSPort 0

IPv4工作正常，但是当我尝试ping任何IPv6唯一站点时，出现错误：

 # ip netns exec NETNS ping -6 v6.testmyipv6.com PING v6.testmyipv6.com(2620:12e:1000::a00:f (2620:12e:1000::a00:f)) 56 data bytes ^C --- v6.testmyipv6.com ping statistics --- 20 packets transmitted, 0 received, 100% packet loss, time 19447ms 

当我尝试访问任何仅有IPv6的站点时，会发生同样的情况：

 # w3m -6 v6.testmyipv6.com w3m: Can't load v6.testmyipv6.com. 

iptables版本：v1.6.1

内核：Linux pc01 4.12.0-2-amd64＃1 SMP Debian 4.12.13-1（2017-09-19）x86_64 GNU / Linux

Tor：在Libevent 2.1.8-stable，OpenSSL 1.1.0f，Zlib 1.2.8，Liblzma 5.2.2和Libzstd 1.2.0的Linux上运行的0.3.2.1-alpha-dev（git-dddae36f5e0e9e08 + 308715492）

哪里不对？ 我的configuration是否正确？