Iptables and SOCKS5
From the article "Iptables and Natcheck", as long as at both ends of the use of iptables for NAT, even if both sides passed the Natcheck compatibility test, but the iptables on both sides can never cross each other.
How to do, one way is to add a transit server on the public network, both sides of the Intranet machine between the UDP communication by the relay server to relay (in fact, as long as the relay side is enough). The advantage of this method is that, because the relay server in the public network, any NAT behind the machine can be connected with the relay server, that is, the machine between the different intranet can always achieve two-way communication through the relay server. The disadvantage of this approach, however, is that the requirements for a transit server are high, including CPU processing power and network bandwidth, and communication delays between clients are unavoidable (currently the most prevalent Skype in the Internet is an exception, he used a distributed transit technology, Skype clients that are directly attached to the Internet that are not behind the firewall can provide transit services to others, so Skype provides a high rate of call success while ensuring a superior quality voice effect. There is also a more important factor, that is, the standard of the transit server is not uniform, resulting in each of the different types of Peer-to-peer programs need a dedicated transit server. If these transit servers can not be shared between resources, there must be a waste of resources (standard Transit Agreement seems to be launched, the name is traversal Using Relay NAT is turn).
Another good way is to use SOCKS5 (Rfc1928) proxy Server to replace the dedicated relay server, one is because SOCKS5 can well support UDP, the second is the SOCKS5 Proxy server variety and the number of deployments on the public network are more, And most importantly, SOCKS5 is an already standardised protocol. The client uses the SOCKS5 proxy, its UDP communication passes through the SOCKS5 to go out, in the opposite party's peer-to-peer procedure appears, uses the SOCKS5 proxy the customer to be like directly connects on the public net, namely, as long as one side uses the SOCKS5 proxy, then the other party regardless of what NAT, are not limited by stun or Natcheck. Therefore, iptables and SOCKS5 theoretically should cooperate happily, but when realizes SOCKS5 agent, if to the SOCKS5 agreement understanding insufficiently thorough, in and iptables cooperation, still has some unpleasant. Two examples are presented below.