Iptables and stun

IptablesAndStunThey are a friend. They help each other and help each other!

Iptables and stun

Stun Protocol (Rfc3489, see http://www.ietf.org/rfc/rfc3489.txt) will be roughly divided into four types of NAT, namely Full Cone, Restricted Cone, Port Restricted Cone and structured Ric. Here is an example to illustrate the differences between the four NAT methods:

Machine A is on the private network (192.168.0.4)

NAT server (210.21.12.140)

Machine B is on the public network (210.15.27.166)

Machine C is on the public network (210.15.27.140)

Now machine A is connected to machine B. Assume It is A (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after translation)-> B (210.15.27.166: 2000 ).

At the same time, A has never communicated with C.

Different types of NAT have the following results:

Full Cone NAT: C sends data to 210.21.12.140: 8000. NAT sends data packets to A (192.168.0.4: 5000 ). Because there is a 192.168.ing between 192.168.0.4: 5000 and 210.21.12.140: 8000 on NAT.

Restricted Cone: C cannot communicate with A, because A never communicates with C, NAT will reject the action C tries to connect to. However, B can communicate with 192.168.0.4: 8000 of A through 210.21.12.140: 5000, and B can use any port to communicate with. For example, 210.15.27.166: 2001-> 210.21.12.140: 8000, NAT will be sent to port 5000 of.

Port Restricted Cone: C cannot communicate with A because A never communicates with C. B can only use its 210.15.27.166: 2000 to communicate with 192.168.0.4: 5000 of A, because A never communicates with other ports of B. This type of NAT is port-limited.

Symmetric NAT: The above three types, collectively referred to as Cone NAT, have one thing in common: as long as it is a packet from the same internal address and port, NAT converts it to the same external address and port. However, distributed Ric is a little different, as long as it is from the same internal address and port, and to the same external destination address and port, NAT also converts it to the same external address and port. However, if the source address and port are from the same external destination address and port, NAT will use different ing to convert them to different ports (the external address has only one, ). In addition, like Port Restricted Cone, only the external address that has received the packet from the internal address can send packets to the internal address through the NAT ing address.

Examples of secondary NAT are as follows ):

Machine A is connected to machine B. If it is A (192.168.0.4: 5000)-> NAT (210.21.12.140: 8000 after conversion)-> B (210.15.27.166: 2000)

If machine A (192.168.0.4: 5000) still wants to connect to machine C (210.15.27.140: 2000) at this time, A new ing will be generated on NAT, and the corresponding conversion may be A (192.168.0.4: 5000) -> NAT (210.21.12.140: 8001)-> C (210.15.27.140: 2000 ). At this time, B can only use its 210.15.27.166: 2000 to communicate with A's 192.168.0.4: 8000 through NAT 210.21.12.140: 5000, and C can only use its 210.15.27.140: 2000 through NAT's 210.21.12.140: 8001 communicates with 192.168.0.4: 5000 of A, while other ports of B or C cannot communicate with 192.168.0.4: 5000 of.

Through the above example, we should understand the basis for the Stun Protocol to classify NAT. Now, based on the above classification criteria (or examples), we will briefly analyze the working principle of iptables and see which NAT does it belong?

First, download a tool that uses the Stun Protocol to detect NAT on the Internet at http://sourceforge.net/projects/stun/. use this tool to check the iptablescheck result as port restricted NAT detected.

We should not rush to accept this detection result first. Let's analyze how iptables works first!

Iptables follows the following two principles when converting an address:

1. Try not to modify the source port. That is to say, the source port in the disguised ip address remains unchanged as much as possible.

2. More importantly, you only need to ensure that the source address/port and target address/port (the so-called socket) are unique after the ip is disguised.

Examples are as follows:

Machine A is connected to machine B. For example, A (192.168.0.4: 5000)-> NAT (210.21.12.140: 5000 after translation)-> B (210.15.27.166: 2000 ). (Note: NAT follows the principle 1. The port is not changed after the switch)

If host A (192.168.0.4: 5000) still wants to connect to host C (210.15.27.140: 2000), A new ing will be generated on NAT, but the corresponding conversion may still be A (192.168.0.4: 5000)-> NAT (210.21.12.140: 5000 after the conversion)-> C (210.15.27.140: 2000 ). This is because NAT (210.21.12.140: 5000 after translation)-> B (210.15.27.166: 2000) and NAT (210.21.12.140: 5000 after translation)-> C (210.15.27.140: 2000) the two sockets are not repeated. Therefore, for iptables, this is both allowed (2nd principles) and inevitable (1st principles ).

In this example, it seems that iptables does not belong to NAT, because it does not seem to comply with the requirements of NAT: If you come out from the same internal address and port, to another target address and port, NAT will use different ing to convert to different ports (the external address has only one, so it remains unchanged ). On the contrary, it meets the requirements of three Cone NAT Methods except NAT: from the same internal address and port, NAT converts it to the same external address and port. In addition, iptables has a Port restriction attribute (which is beyond doubt, as evidenced by a counterexample). Therefore, many detection tools report iptables as Port restricted NAT.

The following example is further analyzed:

Add the D machine to the private network (192.168.0.5) in hosts)

Machine A is connected to machine B. If it is A (192.168.0.4: 5000)-> NAT (210.21.12.140: 5000 after conversion)-> B (210.15.27.166: 2000)

D machine connected to machine C, if it is D (192.168.0.5: 5000)-> NAT (210.21.12.140: 5000 after conversion)-> C (210.15.27.140: 2000)

According to the iptables conversion principle, the above two conversions are allowed and necessary.

If machine A (192.168.0.4: 5000) still wants to connect to machine C (210.15.27.140: 2000) at this time, A new ing is generated on NAT, but the corresponding conversion is changed to A (192.168.0.4: 5000)-> NAT (210.21.12.140: 5001)-> C (210.15.27.140: 2000 ). This is because, if it is still converted to 210.21.12.140: 5000, the socket (210.21.12.140: 5000-> 210.15.27.140: 2000) it will be consistent with the socket of D-> C, conflicts occur, which does not comply with the 2nd rules of iptables. (Note: Here, "5001" indicates different ports after conversion, but in fact, iptables does not generate new ports according to the internal port + 1 principle ).

In this example, from the same internal address and port (192.168.0.4: 5000) to another destination address and port, NAT uses a different ing and converts it to a different port. Obviously, this phenomenon meets the requirements of NAT and Cone NAT.

Let's review the requirements of the Stun Protocol for Cone NAT: all (or as long as it is) packets from the same internal address and port, NAT converts it to the same external address and port. Although iptables mostly meets the requirement that "packets from the same internal address and port will be converted into the same external address and port, however, it cannot be used in all cases. (But in fact, according to the Discovery Process provided in the previous example or the Stun Protocol, in most cases, the detection result of iptables must be Port restricted NAT)

The key to the above conflict is that the Stun Protocol and iptables have different understandings of ing. Stun considers that the elements of a ing are the combination of the internal address port and the address port after NAT translation. In iptables, the elements of a ing are the combination of the address port and the external target address port after NAT translation.

Next, let's analyze the port restriction attribute of iptables. We will give a counterexample to prove that the previous example is as follows:

Machine A is connected to machine B. If it is A (192.168.0.4: 5000)-> NAT (210.21.12.140: 5000 after conversion)-> B (210.15.27.166: 2000)

D machine connected to machine C, if it is D (192.168.0.5: 5000)-> NAT (210.21.12.140: 5000 after conversion)-> C (210.15.27.140: 2000)

Assuming that iptables does not have the port restriction attribute, if another E machine sends a packet to 210.21.12.140: 2000 on the Internet (210.15.27.140: 2001) or C (210.15.27.140: 5000, it should be able to be sent to internal machines. However, when the packet arrives at NAT (210.21.12.140: 5000), NAT will not know whether to send the packet to A (192.168.0.4: 5000) or D (192.168.0.5: 5000 ). Obviously, this packet can only be discarded. This is enough to prove that iptables has a port restriction attribute.

Therefore, iptables is a genuine elastic Ric NAT.

Appendix:

1. Stun stands for Simple Traversal of UDP Through NATs, so all the Packets involved in this article are UDP packets.

2. Although this article analyzes iptables in linux, if you change the keyword "iptables" in this article to "ics or nat in Win2000 ", the analysis process in this article is applicable to ics or nat in Win2000. In theory, ics or nat in Win2000 are also genuine elastic Ric NAT, but in fact, in most cases, the detection result must be Port restricted NAT. Why is the ics, nat, and iptables categories in Win2000 so consistent? Because ics or nat in Win2000 follow the same principles as iptables when performing NAT translation.

Through the article, we can clearly understand iptables and stun knowledge. Hope it will be useful to you!

• Iptables add module HOWTO
• Functions of the netfilter/iptables Module
• Iptables source code analysis
• Iptables summary and application experiences
• How to Use netfilter/iptables to build a firewall
• Iptables commands and commands
• Implementation of squid + iptables gateway firewall
• Iptables instance analysis
• Iptables