So far the implementation of RFC 3489 full cone NAT has never been finished. One can find some discussions about this feature on netfilter mailing list:
Configure to Full Cone :
How can I configure IPtables to be Full Cone?
You cannot. iptable_nat only implements the most sophisticated version
of NAT: fully symmetric.
IPTables and different types of NAT :
“Full cone NAT” can be implemented with 1-to-1 bidirectional NAT using
SNAT+DNAT or NETMAP.
Yes, we can implement full cone NAT partially with 1-to-1 NAT or UPnP, but 1-to-1 NAT only works for ONE host and UPnP cannot traverse through multiple NATs. So here comes the kernel module: xt_FULLCONENAT.
Update: I have written a Makefile for the module, no need for a kernel patch
Somehow I managed to integrate it into OpenWrt by patching kernel and iptables directly. After installing the firmware, I disabled the default MASQUERADE SNAT rule and added the following rules to /etc/firewall.user
iptables -t nat -A zone_wan_prerouting -j FULLCONENAT iptables -t nat -A zone_wan_postrouting -j FULLCONENAT
And it worked, here's the NAT Type tester's test result
It will be better if someone writes makefiles for it instead of patching directly. But I have little experience of writing iptables-mod- or kmod- makefiles. Already done.