PDA

Επιστροφή στο Forum : NAT demystified



hippie
23-10-03, 12:28
epeidh ginetai poli kouventa gia to NAT tha hthela na ginei mia ginei mia enhmerotikh suzhthsh (oso ginetai pio katanohta) gia ti akrivos shmainei, ti akrivos kanei

gnorizo poli liga pragmata (ligotero apo mia selida :cry: )kai tha parakalousa tous pio eidikous edo sto forum na dieukrinisoun pio poly ta pragmata :D

basika h aporia mou einai to NAT einai diaforetiko apo kataskeasth se kataskeuasth hardware h basizetai se kapoia standard (opos ta RFC gia PPPoE h PPPoA) :?:

euxaristo 8)

panos
23-10-03, 13:50
To NAT einai ta arxika tou Network Address Translators

H xrisi tou NAT endyktitai ekei opou liges ( h stin prokeimeni periptwsi 1 ) IP dieu8ynsh pou mas exei dwsei o ISP, tin moirazetai to eswteriko dyktio.
px an se mia etairia me 100 client, einai asymforo (den milaw gia security) na exoun oloi internet IP address (pou mas tis dinei o ISP mas)
tote enas pc-server analamvanei to rolo mesw autou na exoune internet access ta ypoloipa 100.
O server exei mia internet IP kai mia 192.168.x.x (sini8os) pros to eswteriko dyktio me ta ypoloipa pc.


Kai ligaki Texnika twra :)

An mia mikri etairia me eswteriki IP 192.168.0.0 kai 1 internet IP apo ton ISP tote o NAT kanei map tis eswterikes me tin real IP.

Otan kapoios xristis apo to eswteriko dyktio 8elei na synde8ei px. sto Internet h zitisei kapoio allo internet resource tote to TCP/IP protocol dimiourgei ena IP paketo me tis parakatw parametrous sto IP kai TCP h UDP headers

Destination IP Address: Internet resource IP address
Source IP Address: Private IP address
Destination Port: Internet resource TCP or UDP port
Source Port: Source application TCP or UDP port

o router kanei forward to paketo ston NAT server o opoios kanei to Translation.

Destination IP Address: Internet resource IP address
Source IP Address: ISP-allocated public address ( edw einai i IP pou mas dinei o ISP)
Destination Port: Internet resource TCP or UDP port
Source Port: Remapped source application TCP or UDP port

O NAT server stelnei to paketo sto internet allagmeno vevaia na fenetai oti proerxetai apo ton idio ton server kai oxi apo kapoion pisw apo auton.
O server pou to lamvanei stelnei tin apantisi pisw ston NAT pou fenetai kapws etsi:

Destination IP Address: ISP-allocated public address ( h Ip tou NAT apo ton ISP)
Source IP Address: Internet resource IP address
Destination Port: Remapped source application TCP or UDP port
Source Port: Internet resource TCP or UDP port

kai me tin seira tou o NAT server proo8ei to paketo ston eswteriko xristi pou eixe zitisei tin pliroforia.
Fenetai etsi:

Destination IP Address: Private IP address
Source IP Address: Internet resource IP address
Destination Port: Source application TCP or UDP port
Source Port: Internet resource TCP or UDP port


Ta mapping twn eswterikon dieu8ynsewn se e3wterikes apo8ykeuontai sto NAT translation table to opoio exei statics maps kai dynamic (den ta analyw perisotero).

Gia perissoteres pliforories mporeis na koita3eis sta RFC's 3021,1631...

delto
23-10-03, 15:50
Se sunexeia twn parapanw (kai panta exontas upopsh periptwseis ADSL sundromhtwn pou 8eloun me mia public IP na "bgaloun e3w" ena subnet apo private IPs)...

Me to NAT, 2 kathgoriwn einai ta pio sunh8ismena problhmata.

a) Problhmata pou aforoun incoming connections.

Ama skefteis th roh pou sumbainoun osa periegrapse o panos, 8a deis oti ta translations ginontai triggered apo kapoio request enos xrhsth tou eswterikou diktuou. Etsi dhmiourgeitai kai to entry sto NAT table kai etsi 3erei o router ('h o server) pou kanei to NAT, pou na epistrepsei to paketo molis er8ei h apanthsh apo e3w.

Ti ginetai omws me paketa pou erxontai ap'e3w ta opoia den exoun zhth8ei? Gia auta de 8a uparxei kapoia kataxwrhsh sto NAT table, opote.....drop. Gia auto legetai kai oti to NAT sou prosferei ena prwto stoixeiwdes epipedo security.

Se periptwsh omws pou 8a 8es na pernan "aprosklhta" paketa apo e3w sto eswteriko diktuo (p.x. se enan server pou uparxei mesa), tote.... static NAT. Dhmiourgeis kataxwrhseis sto NAT table gia thn kinhsh pou 8es na pernaei mesa akoma ki an den exei zhth8ei. P.x. an exeis ena web server mesa, ftiaxneis mia static kataxwrhsh sto NAT table kai les oti "pantote o,ti erxetai sthn e3wterikh IP sto TCP 80, na phgainei ston web server mou mesa sto 192.168.0.2 sto TCP 80".


b)Problhmata pou aforoun "NAT-sensitive" efarmoges.

Auto pou kanei to NAT einai na allazei IP addresses stous IP headers enos paketou. Kapoies omws efarmoges, gia dikes tous skopimothtes mporei na xrhsimopoioun p.x. thn source IP......kai mesa sto IP payload. To NAT den asxoleitai me auto, opote 8a kanei to translation stous headers, alla mesa de 8a peira3ei tipota. Apotelesma einai oses efarmoges xrhsimopoioun source IPs mesa sto paketo, na mhn paizoun pisw apo NAT.

Wstoso kapoioi kataskeuastes exoun ulopoihsei pio e3upna to NAT stous routers tous kai e3etazoun/metafrazoun kai IP dieu8unseis pou briskontai sto eswteriko tou paketou! Me ton tropo auto katafernoun na pernane kapoies efarmoges parapaw. Bebaia apo th stigmh pou auto 3efeugei apo th basikh leitourgia enos router, trwei kai kati parapanw apo to performance tou.

hippie
23-10-03, 20:51
...Ti ginetai omws me paketa pou erxontai ap'e3w ta opoia den exoun zhth8ei? Gia auta de 8a uparxei kapoia kataxwrhsh sto NAT table, opote.....drop. Gia auto legetai kai oti to NAT sou prosferei ena prwto stoixeiwdes epipedo security.
Wstoso kapoioi kataskeuastes exoun ulopoihsei pio e3upna to NAT stous routers tous kai e3etazoun/metafrazoun kai IP dieu8unseis pou briskontai sto eswteriko tou paketou! Me ton tropo auto katafernoun na pernane kapoies efarmoges parapaw. Bebaia apo th stigmh pou auto 3efeugei apo th basikh leitourgia enos router, trwei kai kati parapanw apo to performance tou.


sxetika kala mexri tora 8O

tora h kataxwresh sto NAT table ginetai meso algorithmon (routinon isos :? ) pou mallon tha diaferoun apo kataskeuasth se kataskeuasth (swsta h oxi :? )

san paradeigma: mporei na ginei (kapoia poiotikh) sigkrish tou NAT px tou jetspeed me ena zyxel me ena cisco me h genika me ena opoiodhpote allo modem/router :?:

kai mia deuterh erotisi (isos einai kai entelos out :( ): ginetai to NAT enos modem na ginei "corrupted" (or hacked) apo kapoio eksoteriko (px malicious user or programmme) :?:

euxaristo gia opioadhpote dieukrinhsh :D

TiO
23-10-03, 23:33
san paradeigma: mporei na ginei (kapoia poiotikh) sigkrish tou NAT px tou jetspeed me ena zyxel me ena cisco me h genika me ena opoiodhpote allo modem/router


Bebaiws kai yparxei diafora... terastia... Yparxoun ylopoihseis NAT oi opoies to mono pou kanoun einai na pernoun to IP paketo kai na allazoun tis IP sto src kai dst field tou paketou. Omws auto gia merikes efarmoges pou tis IPs tis bazoun kai mesa sto TCP(p.x.) paketo pou brisketai mesa sto IP, kai gia na doulepsoun swsta 0a prepei na allaxoun kai autes. Ara loipon mia ulopoihsh pou 0a allazei kai aytes 0a einai safws kaluterh apo thn prohgoumenh pou koitaei mono tous headers tou IP.

auta en oligois.

delto
24-10-03, 12:24
a, kai kati akoma....

Mia kai hr8e to 8ema meta3u diaforetikwn ulopoihsewn anamesa se diaforetikous kataskeuastes...

Megalh diafora 8a deis apo kataskeuasth se kataskeuasth kai apo montelo se montelo, sto plh8os twn translations pou mporei na shkwsei enas router mexri na gonatisei.

Auto ginetai idietaira ais8hto me ta P2P programmata, ta opoia anoigoun para polla connections (pou shmainei kai para polla translations).

P.x. Ama 10 xrhstes pisw apo ena jetspeed tre3oun winmx,kazaa,emule klp kai anoi3ei 500 connections to ka8ena, xaireta to mou to jetski :D

troll
02-11-03, 14:03
Πως μπορώ να ρυθμίσω το ΝΑΤ έτσι ώστε να βλέπουν οι άλλοι servers μόνο το ΙP του ISP μου και όχι του LAN κάτι διάβασα για το ILA insert local address αλλά δεν το βρίσκω

Copyright © Keen Notion Co (2002-2017) Copyright Keen Notion Co.