Http://www.linuxforum.net/docnew/printthread.php?cat=&board=new=post ===722&type=post
IPTables and Stun Stun protocols (RFC3489, see http://www.ietf.org/rfc/rfc3489.txt) Rough NAT is divided into four types, namely Full Cone, Restricted Cone, Port Restricted Cone, and Symmetric. This four NAT distinguish between these four NATs: A machine in private network (192.168.0.4) NAT server (210.21.12.140) B machine in public network (210.15.27.166) C machine in public network ( 210.15.27.140) Now, the A machine is connected to the B machine, assuming A (192.168.0.4:5000) -> NAT (210.21.12.140:8000) -> B (210.15.27.166:2000). At the same time, A has never communicated with C. For different types of NAT, there are different results: Full Cone Nat: C issued to 210.21.12.140:8000, NAT will send the packet to a (192.168.0.4:5000). Because NAT already has 182.168.0.4:5000 to 210.21.12.140:8000 mapping. Restricted CONE: C cannot communicate with A, because A has never communicated with C, NAT will reject C to try to connect with A. However, B can communicate with the 192.168.0.4:5000 of 210.21.12.140:8000 and A, and this B can communicate with A. Such as: 210.15.27.166: 2001 -> 210.21.12.140:8000, NAT will be sent to the 5000 port of A. Port restricted conference cone: c cannot communicate with A because A has never communicated with C. And B can also communicate with a 192.168.0.4:5000 with A of A, because A has never communicated with other ports of B. This type of NAT is the port restricted. Symmetric Nat: The above three types are collectively referred to as CONE NAT. There is a common: as long as it is from the same internal address and port, NAT converts it into the same external address and port. However, Symmetric is a bit different, and the specific performance is: as long as it is from the same internal address and port, NAT converts it to the same external address and port. However, if it comes out from the same internal address and port, it is to another external destination address and port, and NAT will use different mappings, converted into different ports (one of the external addresses, so unchanged). And like the Port Restricted CONE, only the external address sent by the internal address will be received through the NAT map.
In view of Symmetric Nat (Example 2): A machine is connected to B machine, if it is A (192.168.0.4:5000) -> NAT (210.21.12.140:8000) -> B (210.15.27.166:2000) If the A machine (192.168.0.4:5000) is also wanted to connect C machine (210.15.27.140:2000), then a new map is generated on NAT, and the corresponding conversion may be A (192.168.0.4:5000) -> Nat (210.21.12.140:8001) -> C (210.15.27.140:2000). At this point, B can only use its 210.15.27.166:2000 through NAT's 210.21.12.140:8000 and a 192.168.0.4:5000 communication, C can only use its 210.15.27.140:2000 through NAT 210.21.12.140 : 8001 Communication with A of 192.168.0.4:5000, and other ports of B or C cannot communicate with A 192.168.0.4:5000. Through the above example, we clear the basis for the STUN protocol to classify NAT. So, now, according to the above classification standards (or examples), we briefly analyze the working principle of iptables (Masquerade only), see which NAT is he belonging to him? First, we go online to download a tool using the Stun protocol to detect NAT/projects/stun/, using the tool to use the tool to detect the detection of iptables is Port Restricted Nat Detected. Let us first have to accept this test results, or first analyze the working principle of iptables! IPTables followed two principles when converting addresses: 1, try not to modify the source port, that is, the source port after IP camouflage remains unchanged. (Ie so-called preserves port number) 2, more importantly, after IP camouflage, only the source site / port after the camouflage is unique to the target address / port (ie, so-called socket) after IP camouflage. The following example is still described (Example 3): A machine is connected to the B machine, which is a (192.168.0.4:5000) -> NAT (210.21.12.140:5000) -> B (210.15.27.166:2000). (Note, this NAT follows the principle 1, so the rear port does not change) If the A machine (192.168.0.4:5000) is also wanted to connect C machine (210.15.27.140:2000), then a new map is generated on NAT. However, the corresponding conversion is still possible to be A (192.168.0.4:5000) -> NAT (210.21.12.140:5000) -> C (210.15.27.140:2000).
This is because NAT (converted 210.21.12.140:5000) -> B (210.15.27.166:2000) and NAT (210.21.12.140:5000) -> C (210.15.27.140:2000) These two sockets do not repeat . Therefore, for iptables, this is not only allowed (Article 2 Principles), and it is also an inevitable (Article 1 Principle). In this example, the surface looks that iptables don't seem to be Symmetric Nat because it does not meet the requirements of Symmetric Nat: If it comes from the same internal address and port, NAT will use it. Different mappings are converted into different ports (only one external address is not changed). Instead, it is in line with the requirements of three conne Nats outside SYMMETRIC NAT: from the same internal address and port, NAT converts it into the same external address and port. Plus iptables has port restricted properties (this is not doubtful, and the rear rehearsal prove), so many detection tools report the iptables to the Port Restricted NAT type. The following is still previously analyzed (Example 4): In the previous example, the D machine is connected to the same private network (192.168.0.5) A machine to connect B machine, and if it is A (192.168.0.4:5000) -> NAT (after conversion 210.21.12.140:5000) -> B (210.15.27.166:2000) D Machine Connect C machine, if you are d (192.168.0.5:5000) -> NAT (210.21.12.140:5000) -> C (210.15) .27.140: 2000) It is understood by the IPTables conversion principle that the above two conversions are allowed and inevitable. If the A machine (192.168.0.4:5000) also wants to connect C machine (210.15.27.140:2000), then a new map is generated, but the corresponding conversion becomes A (192.168.0.4:5000) - > NAT (210.21.12.140:5001) -> C (210.15.27.140:2000). This is because if it is still converted to 210.21.12.140:5000, the Socket (210.21.12.140:5000-> 210.15.27.140:5000-> 210.15.27.140:5000-> 210.15.27.140:2000) will consistent with D-> C, conflict, Capitators that do not comply with iptables (note that 5001 indicates different ports after conversion, but in fact, iptables do not generate new ports in accordance with the principles of internal port 1). In this example we noticed, from the same internal address and port A (192.168.0.4:5000), to different target addresses and ports, NAT uses different mappings to convert different ports.
The above example is relatively rare in the actual environment, and we will mention a true and common example with QQ as an example (Example 5). Assuming A (192.168.0.4) and D (192.168.0.5) are two private network machines protected by the same NAT server (210.21.12.140), all QQ client programs run. The B machine is in public network (210.15.27.166), run the QQ server program. The C machine is in public network (210.15.27.140), running QQ client programs. A on QQ first log in to B, according to principles 1, use the following mappings: a (192.168.0.4:4000) -> NAT (210.21.12.140:4000) -> B (210.15.27.166:8000) (principle 1, The port is constant), then QQ is also logged into B, according to principles 2, use the following mappings: D (192.168.0.5:4000) -> NAT (210.21.12.140:4001) -> B (210.15.27.166:8000 (Principles 2, Scoket can't have repetition, here 4001 only indicates different ports after conversion, the actual environment is not 4001) then D-wants to communicate on the public network C (210.15.27.140), according to the IPTables conversion principle, Use the following mappings: D (192.168.0.5:4000) -> NAT (210.21.12.140:4000) -> C (210.15.27.140:4000) To this, we found that the same internal address and Port D (192.168.0.5:4000) comes out, to different target addresses and ports, NAT uses different mappings to convert them into different ports. However, in the case of the above example, this example obviously exists in the actual environment. Two mentioned above showed that the conclusion is just contrary to Example 3, ie, iptables should belong to Symmetric Nat. Why do you have contradictory situations? First, from the definition of NAT classification, the Stun protocol and iptables are different from the map. The Stun protocol considues that a mapping element is: the internal address port and the combination of the NAT conversion address port. In iptables, a mapping element is: NAT conversion portfolio of address port and external destination address port. On the other hand, the test environment given by Discovery Process is not comprehensive enough in the Stun Agreement. He only considers only one private web machine (Example 3), and there is no need to have multiple private networks after NAT. Universal example (Example 5). It is precisely due to these two reasons directly leading to the above contradictions. Therefore, any NAT classification test tool designed according to the Stun protocol standard is inevitable to the IPTables.
(In fact, under the special case of Example 3, iptables is indeed a standard port restrical NAT) So, which NAT is IPTABLES? Let's review the requirements of the Stun protocol to CONE NAT: All (or as long as it) is from the package from the same internal address and port, NAT converts it into the same external address and port. Although iptables meets "from the same internal address and ports", it will convert him into the same external address and port ", but it cannot meet this requirement in all situations. So in theory, we can only return iptables to Symmetric Nat. Below, let's analyze the port-limited properties of iptables' ports, and we will give an alternative prove (Example 6), which is still as follows: A machine is connected to B machine, if it is A (192.168.0.4:5000) -> NAT (210.21.12.140:5000) -> B (210.15.27.166:2000) D Machine Connect C machine, if D (192.168.0.5:5000) -> NAT (210.21.12.140:5000) after conversion > C (210.15.27.140:2000) Now IPTables does not have port-limited properties, and another E machine is in public network (210.15.27.153:2000) or C (210.15.27.140:2001) to 210.21.12.140:5000 If you have a bag, you should be able to send it to the internal machine. But the fact is that when this package arrives at NAT (210.21.12.140:5000), NAT will not know to send this package to A (192.168.0.4:5000) or D (192.168.0.5:5000). Obviously, the package can only be discarded, and it is sufficient to prove that iptables has port restricted properties. Therefore, iptables are genuine SYMMTRIC NAT. Attachment: 1, Stun's full name Simple Traversal of UDP THROUGH NATS, so the packages involved in this article are UDP packages. 2. Although this article is an analysis of iptables under Linux, the analysis process of this article is fully applicable to ICS or NAT below Win2000. That is, the theoretical ICS or NAT in Win2000 is also a real price of Symmetric Nat, but in fact, the NAT classification test tool designed in accordance with Stun protocol is also inevitably Port Restricted NAT. In fact, it is not only linux iptables, or ICS or NAT, or any other NAT product under Win2000, as long as they follow two conversion principles as IPTables, then their performance under the Stun protocol is exactly the same.
