How can I allow idtcpserver & idtcpclient applications to penetrate NAT? Delphi/Windows SDK/API
Http://www.delphi2007.net/DelphiNetwork/html/delphi_20061217114600108.html
Idtcpserver has a public IP address and an open port,
The idtcpclient is located after Nat and cannot be mapped to a port,
However, the idtcpclient initiates a connection and then transmits files to each other.
Could you tell me whether such an application can be implemented and how it works? Thank you!
I am paying close attention to it. It seems that it is difficult to find anything substantive on TCP through NAT.
Top! I also want to know the relevant methods.
In the idtcpclient attribute, boundip and boundport are not required. Use the following Code To connect to the idtcpserver through NAT:
Idtcpclient. HOST: = '0. 0.0.0 '; // idtcpserver public IP Address
Idtcpclient. Port: = 0; // port of idtcpserver
Try
Idtcpclient. Connect ();
Except
Idtcpclient. Disconnect;
Exit;
End;
It should be noted that idtcpserver must run on a host with a public IP address. This allows computers anywhere in the world to use the above Code to connect to idtcpserver, you can use onconnect of idtcpserver to obtain the IP address and port of idtcpclient after Nat translation. The Code is as follows:
Procedure tform1.idtcpserver1connect (athread: tidpeerthread );
Begin
IP: = athread. Connection. Socket. Binding. peerip;
Port: = athread. Connection. Socket. Binding. peerport;
End;
Only the IP address and port obtained by onconnect of idtcpserver can communicate with idtcpclient.
You will find that the IP and port obtained in onconnect are different from those of idtcpclient after Nat translation.
A typical Client/Server structure in which a client sends a TCP/IP connection to the server. This connection can transmit data in two directions.
Can the chenzhechenge () method be used ???? Is it funny?
Use UDP
"Idtcpserver has a public IP address and an open port"
Since the server has a fixed IP address, you can directly connect the client.
The landlord may want to ask that in two different intranets, each client can access the Internet server. Now, I want to establish a connection between these two Intranets through NAT...
Note: The implementation of UDP can be found at night, and TCP has not been seen yet...
You can find the UDP evening. Come back later.
Pai_^
Raw socket is required for TCP penetration, which is not supported by XP or above.
You need to enter the drive mode before OK
That complicated ~~
The server is in the public network, and the client can establish a connection either after the public network or after the nat. once the connection is established, it can communicate with each other. I used the socket control (server and client respectively) in delphi6. the server does not need to know the address and port of the client, as long as the client knows the IP Address: port of the server. the server uses connection [N]. sendbuf communicates with the client.
The two clients are all behind Nat. If you use UDP, you can use a server with a public network to penetrate NAT through two-way holes.
I am also looking for relevant code, but it seems that all the above is theory?
Who has the relevant source code?
There is no need to worry about Nat or anything.
Since the server has a public IP address, as long as the client can actively connect, the established TCP connection is a two-way link.
Generally, many applications use one-way Q & A protocol,
However, this TCP connection is always bidirectional!
Most Indy control groups use blocking Socket. In blocking mode, most of them create a working thread dedicated to receiving data.
When designing the communication protocol, the landlord should distinguish whether the data is the active data of the other party or the response data.
Can the chenzhechenge () method be used ???? Is it funny?
Yes. I have already implemented it and it is still running ~~~
Idtcpserver has a public IP address and an open port,
---------------
Then there will be no Nat penetration.
[Post] complete Nat analysis and complete UDP penetration solution by Chen Min
I. Basic Terms
Firewall
The firewall limits the communication between the private network and the public network. It mainly discards the packets that are considered unauthorized by the firewall. The firewall only checks the data of the packets, the IP address and TCP/UDP port information in the data packet are not modified.
Network Address Translation (NAT)
When a packet passes, the network address converter not only checks the packet information, but also modifies the IP address and port information in the packet header. In this way, the machine that is in Nat can share several public IP addresses (usually one ). There are two main types of network address converters.
P2P applications Program
P2P applications refer to establishing an end-to-end session communication based on an existing public server and using its own private address or public address (or both.
P2P Firewall
P2P Firewall is a P2P proxy that provides firewall functions, but does not perform address conversion.
P2P-NAT
P2P-NAT is a P2P proxy, provides the function of NAT, also provides the function of firewall, the simplest P2P proxy must have the function of cone Nat to UDP communication support, it also allows applications to establish robust P2P connections using UDP hole-hitting technology.
Loop Conversion
When the NAT Intranet Machine wants to access the machine in the same LAN through a public address, the NAT device is equivalent to doing Nat twice, before the package arrives at the target machine, convert the private address to the public address, and then convert the public address back to the private address. We call a NAT device with the upstream translation function a "loop translation" device.
Ii. Nat Classification
It can be divided into two categories: Basic Nat and network address and port translation (napt ).
(1): Basic Nat
Basic Nat converts the private IP address of a private network host to a public IP address, but does not convert the TCP/UDP port information. Basic Nat is generally used when Nat has many public IP addresses, it binds the public IP address with the internal host, so that the external can use the public IP address to access the internal host. (In fact, only the IP address is converted, 192.168.0.23 <-> 210.42.106.35, which is different from directly setting the IP address to a public IP address, especially for enterprises, all external information must pass through the unified firewall before it can reach the internal, but the internal host can use the public ip)
(2) network address and port conversion (napt)
This is the most common situation. The network address/port converter checks and modifies the packet IP address and TCP/UDP port information, so that more internal hosts can use a public IP address at the same time.
For more information about Nat categories and terms, see [rfc1631], [rfc2993], and [rfc2663. In addition, [rfc2663] has made more definitions about napt classification and terminology. When an intranet host opens an out-of-office TCP or UDP session through NAT, napt assigns this session a public IP address and port to receive packets from the Internet, and the host is notified through conversion. In this way, napt establishes a port binding between [private IP: Private Port] and [Public IP: public port.
Port binding specifies that napt will perform address translation tasks during the lifetime of this session. There is a problem in the middle. If a P2P application sends multiple sessions to different Internet hosts from a [private IP Address: Port] on the internal network, what Will Nat do? This can be divided into two categories: Cone Nat and symmtric NAT:
A. Conical Nat
(Why is it a cone? Please refer to the form. Both the terminal and external server send information through the bound address pair assigned by Nat, just like a funnel, filtering and passing information)
After a [private IP: Port]-[Public IP: Port] port is bound, for a session from the same [private IP: Port, the conical Nat server allows the application that initiates the session to repeat the port binding until the session ends (Port binding ).
For example, if Client A (as shown in the IP address information) initiates two outgoing connections simultaneously through a conical Nat, it uses the same internal port (10.0.0.1: 1234) for two different servers on the public network, S1 and S2. Only one public IP address and port (155.99.25.11: 62000) are allocated to the two sessions, address translation ensures that the client uses the port "same" (that is, this client only uses this port ). However, the basic NATs and firewall cannot modify the port number of the data packet. They can be seen as the simplified version of the conical Nat.
Further analysis can be performed on three categories: Cone Nat restricted cone NAT (restrict cone) and Port restricted cone NAT (Port restrict cone: full cone ),
1. full-duplex conical Nat
When an internal host sends out a connection session, a public/private address is created. Once this address pair is created, full-duplex conical Nat receives the communication from any external port that is subsequently passed in to this public port address. Therefore, full-duplex conical Nat is sometimes called "hybrid" nat.
2. Restricted conical Nat
Restricted conical Nat filters incoming packets. When an internal host sends an "out" session, Nat records the IP address of the external host, only these recorded external IP addresses can pass information into the nat, the restricted conical Nat effectively refines the packet filtering principle for the firewall-that is, only the known external addresses are allowed to "pass" the information to the nat.
3. Limited-port conical Nat
The restricted conical Nat port, which is different from the restricted conical NAT: it records the IP address and port information of the external host at the same time, the restricted conical NAT provides the same level of protection for internal nodes. When the port is "same", the information returned by Symmetric Nat is discarded.
B. symmetric Nat
Symmetric Nat is very different from cone Nat. Instead of binding ports to sessions, a new public port is allocated to each new session.
In the preceding example, if Client A (10.0.0.1: 1234) initiates two "outbound" sessions and sends them to S1 and S2 respectively. Symmetric NAT will assign the public address 155.99.25.11: 62000 to session1, and then assign another different public address 155.99.25.11: 62001 to session2. Symmetric Nat can distinguish two different sessions and perform address translation, because the external addresses in session1 and session2 are different because, the client-side application gets lost in this address translation boundary line, because each session sent by this application uses a new port, and it cannot be guaranteed that only the same port is used.
In TCP and UDP Communication (whether to use the same port or assign different ports to the same application), there are different reasons for conical Nat and symmetric Nat. Of course, conical NAT provides more categories for connecting Nat accepted connections to a created address based on fair conditions. This classification is generally applied to UDP Communication (rather than TCP communication), because NATs and firewall prevent TCP connections that attempt to pass in unconditionally, unless Nat is explicitly set.
Iii. Nat session Processing
The following analyzes the policies that napt uses to determine whether to establish a session for a UDP packet sent by a request. There are several policies:
A. the source address (intranet IP address) is different. If you ignore other factors, the napt must correspond to different sessions.
B. If the source address (intranet IP address) is the same and the source port is different and other factors are ignored, the napt must correspond to different sessions.
C. If the source address (intranet IP address) is the same, the source port is the same, the destination address (Public IP address) is the same, and the destination port is different, the napt must correspond to the same session.
D. The source address (intranet IP address) is the same, the source port is the same, and the destination address (Public IP address) is different. If the destination port is ignored, how does one process the session on the napt?
A, B, and C are simple and easy to implement. D is complicated. so D is what we should focus on and discuss.
Iv. Complete Solution
The following is a complete solution for four kinds of sessions and four types of NAT. The following abbreviations are used for convenience:
C stands for Cone Nat
S stands for symmetric Nat,
FC stands for full cone Nat,
RC stands for restrict cone Nat,
PC stands for port restrict cone Nat.
The number of clients after Nat can be divided into two categories:
Type one: one after Nat + one in the public network.
In this case, it can be divided into two categories:
A. s vs public network: In this case, the public network address remains unchanged in a session, so it can be successful.
B. C vs public network: similar to the above, it is possible to punch holes in this situation.
Type two: both customers are behind Nat.
In this case, it can be subdivided into two categories:
A. One of the NAT instances is in the S (elastic Ric Nat) type, namely, s vs C or S vs S.
The following example shows that this kind of logging is not feasible. In the conventional logging, all customers first log on to a server. the server records the [Public IP: Port] of each customer, and then uses the record value during the punching process. However, for the S-type Nat, it is not bound to the [private IP: port] and [Public IP: Port] ing. therefore, in different sessions, Nat will re-allocate a pair of [Public IP: Port]. in this way, for S-type Nat, the [Public IP: Port] is different from the [Public IP: Port] registered on the server. there is also no way to notify another client that is located under Nat of the [Public IP: Port. however, if the other client is in the public network, it is possible to create a hole. we have already demonstrated this situation.
In this case, the solution can only be implemented through port prediction. The specific solution is as follows: for example, (take two S-type instances as examples) Nat a allocates its own UDP port 62000, it is used to maintain the communication sessions between Client A and server s, and Nat B is also allocated with port 31000 to maintain the communication sessions between client B and server S. Through the conversation with server s, Client A and client B both know the real IP address and port mapped by the other party.
Client A sends a UDP message to 138.76.29.7: 31001 (Please note that the port number is increased), and client B sends a UDP message to 155.99.25.11: 62001. If Nat A and Nat B continue to assign a port to a new session, and the session time from the A-S and B-S is not much consumed, A two-way session channel is established between Client A and client B.
The message sent by Client A to client B causes Nat a to open a new session, and we want Nat a to assign port 62001 to the new session, because 62001 is followed by 62000, Nat will automatically assign the port number for the new session from server s to Client A; similarly, the message sent by client B to a causes Nat B to open a new session, and we hope that Nat B will assign port 31001 to the new session; if both clients correctly guess the port number assigned to the new session of the peer, the two-way connection of the client a-client B will be connected. The result is shown in:
Obviously, many factors may cause this method to fail: If the predicted new ports (62001 and 31001) are used by an unrelated session, the Nat will skip this port number, and the connection will fail. If two Nat addresses sometimes or do not generate new port numbers in order, this method will not work.
If a different client X (or after Nat B) after Nata opens a new "outbound" UDP connection, regardless of the purpose of the connection; as long as this action occurs after Client A establishes a connection with server s, before client a establishes a connection with client B; then this unrelated client X will "steal" the port we are eager to allocate without preparation. Therefore, this method becomes so fragile and vulnerable. As long as any Nat party includes the above problems, this method will not work.
This method is still practical in the network environment of the cone Nat series; if one party is cone Nat and the other party is symmetric Nat, then the application should first discover the type of Nat on the other side, and then make the correct action to handle the communication, which increases Algorithm And reduce the universality in the real network environment.
Finally, if the peer-to-peer network is under two or more Nat levels and these NATs are nearing this client as nat-based NAT, the port number prediction is invalid!
Therefore, it is not recommended to use this method to write new P2P applications. This is also a historical experience and lesson!
B. Both are cone Nat.
In this case, there are six types:
A: Fc + FC
B: Fc + RC
C: Fc + PC
D: PC + RC
E: PC + PC
F: RC + RC
Although there are many situations, it is still easy to handle due to the characteristics of cone Nat, because for Cone Nat, it will bind a pair of [private IP Address: port] and [Public IP: Port] ing, so the [Public IP: Port] They use is consistent with the [Public IP: Port] registered on the server, therefore, it is okay to punch holes.
To sum up, we have completely summarized the possible communication between all types of NAT and provided feasible solutions.
V. Summary of the previous stage
1. the method used in the previous phase is flawed. It only applies to two clients (clients) of the full cone Nat type ). the following arguments do not apply to the two types of cone Nat.
B: Fc + RC
C: Fc + PC
D: PC + RC
E: PC + PC
F: RC + RC
These five situations.
For restricted Nat, it registers the [IP address & Port] of the outgoing packet. It only accepts the packets sent from these registered addresses, therefore, they report that the server port can only accept packets from the server. cannot accept packages from another client. therefore, the method of punching in the previous stage is not feasible.
Vi. Existing Problems
According to theory. nat will disable a UDP ing after a certain period of time. To maintain continuous communication with the server, the server must send a UDP heartbeat packet to ensure that the ing is not disabled. this requires a suitable time value.
Code is everywhere!
It should be noted that idtcpserver must run on a host with a public IP address. This allows computers anywhere in the world to use the above Code to connect to idtcpserver, you can use onconnect of idtcpserver to obtain the IP address and port of idtcpclient after Nat translation. The Code is as follows:
Procedure tform1.idtcpserver1connect (athread: tidpeerthread );
Begin
IP: = athread. Connection. Socket. Binding. peerip;
Port: = athread. Connection. Socket. Binding. peerport ;//!!!!! Peerport is not available at all.
End; // do not believe everyone to try, compilation error!
Only the IP address and port obtained by onconnect of idtcpserver can communicate with idtcpclient.
You will find that the IP and port obtained in onconnect are different from those of idtcpclient after Nat translation.
Forget it ,,,,,
The above explains that the compilation can be successful, and the athread. Connection. Socket. Binding. peerport attribute exists.
Listbox1.items. Add (athread. Connection. Socket. Binding. peerip + ':' + inttostr (athread. Connection. Socket. Binding. peerport ));
However, after adding this sentence, when the program runs, "The program cannot respond!
Athread. Connection. Socket. Binding. peerip
Athread. Connection. Socket. Binding. IP
Athread. Connection. Socket. Binding. peerport
Athread. Connection. Socket. Binding. Port
What does it mean to add a peer? What is the difference between the two ???
Athread. Connection. Socket. Binding. peerip
Athread. Connection. Socket. Binding. IP
Also want to know what is the difference?