Install the packages jool-dkms and jool-tools. These are only available per default since Debian 11 / Bullseye. Be aware that this installs a whole bunch of development tools, kernel-headers etc. This might be a security issue on an edge device. It also required 312 Mb of disk space on a dedicated router without too many packages. If this is not acceptable, there's still tayga
Then create a directory /etc/jool and a file /etc/jool/jool.conf with the following content:
{
"instance": "default",
"framework": "netfilter",
"global": {
"pool6": "64:ff9b::/96"
}
}
Be aware that, even if you configure your firewall via iptables, the underlying framework is Netfilter. The same goes for the Jool Website, where they have Netfilter and iptables examples.
The default instance means that you don't have to specify it explicitly when using the jool CLI tool.
Otherwise just specify your NAT64 prefix as pool6 and you're good to go. The example uses the IANA-reserved well-known prefix, but you can also use a prefix from your own network.
Start jool via systemctl start jool and test from an internal system with ping 64:ff9b::1.1.1.1 Adjust the prefix if necessary and don't use the example from the Jool website, that won't work. I forgot to check beforehand, so run systemctl enable jool, just to be save.
You'll almost certainly want DNS64 as well: check O'Reilly or the Jool website. Their example has ACLs, in case you don't have firewall on / in front of your DNS server.
