My understand of NAT table is
NAT table maps only (Private IP:Port) -> (Public IP:Port)
It doesn't care about protocol or socket connection
In this manner, I thought TCP hole punching could done by reusing local port.
Host A behind NAT connect to server S, NAT of host A maps its pair
Host A(192.0.0.1:100) -> NAT -> Server
(192.0.0.1:100 -> 121.0.0.1:200) MAPPED
Host A closes that socket and open new listening socket on same local port(100)
Host A(listening 192.0.0.1:100) -> NAT -> Server
(192.0.0.1:100 -> 121.0.0.1:200) MAPPED
Then, I thought any client can connect to Host A (get 121.0.0.1:200 from server) by using already mapped pair (192.0.0.1:100 -> 121.0.0.1:200)
Because NAT table only considers dest IP and port not source IP and port.
But this doens't work! I found other complex implementation, but I curious what is problem in this way.
Okay if anyone reaches here, read "Methods of translation" part in https://en.wikipedia.org/wiki/Network_address_translation
Related
Based on my knowledge , I believe following statements are true.
Router can only redirect packet and can interact upto network(internet layer) only.
NAT maps the private ip to public ip. It uses a NAT table in which source private ip is mapped to public ip and also source port is changed with new source port.
My question is regarding NAT function for port . How NAT , that works in router can change something that relates to transport layer(port)?
i.e when the private system sends the source port , how NAT is able to change it with new port before sending it to internet.
I am missing something or maybe I am wrong somewhere . Would appreciate the help.
Thanks
NATs intercept outgoing IP packets (including UDP and TCP) from nodes on the NAT's internal network and can modify the source IP and source port in the UDP and TCP header in place. It will update other fields in the header as well (i.e. checksum).
Similarly, for incoming packets, the NAT will change the destination IP/port after finding an entry in its port mapping table that was created from a previous outbound packet or connection.
As to "how" - it just does. It literally reconstructs a new UDP/TCP/IP header using the exact same payload of what it received. The NAT is registered as the gateway device on the LAN, so all packets bound for the internet will be sent to the NAT's MAC address - if what you are wondering is how the NAT captures the packets to begin with.
I have a Node.js program that establishes a connection to a server via UDP hole punching. However the environment I am running in currently allows connections to the internet only via a HTTP proxy. Is it still possible to perform UDP hole punching in this case, or even TCP hole punching?
A rough map of the current environment:
Computer -> Router -> Proxy -> Gateway -> Internet
I made a simple Networking application that is server client that communicate over LAN.
client
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = socket.gethostname()
port = 8080
s.connect(("117.219.195.10", port))
s.send('q\n');
s.send('boo\n\r');
s.close
server
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
host = socket.gethostname()
print host
port = 8080
s.bind(("", port))
s.listen(5)
while True:
c, addr = s.accept()
print 'Got connection from', addr
c.send('Thank you for connecting\r\n')
c.close()
but while server is behind NAT i need to configure the NAT table in router, Can i have a point to point connection without configuring router? Can i embed the information of NAT table (like on which ip to redirect) in the packet itself so that when packet comes form internet to router it knows which ip in the LAN should get it.
It is possible to develop an application that utilizes NAT Traversal techniques such as STUN to create a tunnel between NAT'd devices. Review those topics to find a solution that works for you.
Yes you do need to configure port forwarding and this usually involves logging on to your router and using it's administration interface. No you cannot embed this info in the packets.
However you only need to do this on your server and you do not need to resort to NAT traversal for client-server comms once port forwarding is setup on your server, since what the client sends the server will get through to the server (because you set up port forwarding) a reply from the server to client will automatically be forwarded by your client side NAT as it will be aware you have a TCP connection established to the servers' end point. That is how you can connect to this website from behind NAT!
Just curious about a particular scenario of NAT. Let's suppose we have 4 computers sharing a global IP address under the NAT. I understand that the NAT box keeps an internal record to know which computer to forward requests to. But let's say on computer #2 I'm trying to download a file. And let's say on computer #1, #3, and #4, I'm just browsing the web normally. When the browser initiates a TCP connection to get that file, how does it know which computer to give it to? I mean like, each of the four computers is using port 80 to browse the web right? How does the NAT's record distinguish which "port 80" belongs to which computer?
Each unique TCP connection on the internet is made up of four numbers - {source IP, source port, destination IP, destination port}.
A NAT gateway (GW) translates this to {GW public IP, GW-mapped port, destination IP, destination port} so the outside routers know to return packets to this particular gateway. It also keeps a mapping of these mapped ports back to source IP and port number, along the lines of {GW-mapped port -> {source IP, source port}}, which allows it to figure out what internal machine to send the response packets to.
The concept of "port 80 for http" does not work like these. When a computer browse the web, only the server uses port 80, while the client will use a random port number. The server replies with a destination port, provided by the client, attached. Port 80 is just for knocking the web server's door.
What the NAT does do is translating all those 4 computers outward packets such that their source ports does not duplicate. When the NAT receives a packet, it will check if the attached destination port can be translated and translate it to the LAN if possible.
The scenario is the following. I have two machines A and B:
A: Client (behind NAT)
B: Server (behind NAT)
I want B to be able to listen on any given port, so that A can send packets to B through that specific TCP port and receive any response. If both machines are not behind a NAT it is pretty straight foward process. However how do I make it work so that it works even when B is behind a router, without him having to go change the router configuration enable some port forwarding etc...
For example, how do peer-to-peer programs like torrent clients work without the user having anything to configure?
To answer the example of Peer to Peer programs, and in general: There is a technology called Universal Plug and Play which NAT routers can use to allow clients behind them to expose ports to the outside. That's what bittorrent clients can use so the other clients can directly connect to them.
An alternative to a proxy server is a match-making server. Instead of proxying all of the traffic, the match maker just negotiates until the peers can talk to each other. This involves finding the external public IPs of the peers and talking to each one so that the firewall/router knows that the peers wish to communicate.
This is called hole punching and it often has to be done by the match maker rather than the peers themselves. Once the hole are punched though, the match maker can tell the peers about each other and they can communicate directly.
You will have to either:
Set up port forwarding from the nat
gateway in front the server into the machine your server software is running, and have the client
connect to the IP address of that
gateway.
Create a proxy server sitting
inbetween the 2 nat gatewys so both
your server and client can connect
to that. Both your server and client
have to set up a connection to that
proxy which will mediate the data
between those 2 connections.
Hole punching is moderately well-understood for UDP communication, but it can be reliably used to set up peer-to-peer TCP streams as well. Here is the well detailed article on both TCP and UDP:
http://www.brynosaurus.com/pub/net/p2pnat/