NAT and Port Forwarding – How NAT, Port Forwarding, and TCP/IP Work

nat;tcp

I recently read an article entitled how NAT works. Some things still remain unclear to me. I would be thankful if someone could explain.

Below is the part of the article regarding DynamicNAT that is most confusing:

A computer on the stub domain attempts to connect to a computer
outside the network, such as a Web server.

The router receives the packet from the computer on the stub domain.
The router saves the computer's non-routable IP address to an address
translation table. The router replaces the sending computer's
non-routable IP address with the first available IP address out of the
range of unique IP addresses. The translation table now has a mapping
of the computer's non-routable IP address matched with the one of the
unique IP addresses.

When a packet comes back from the destination computer, the router
checks the destination address on the packet. It then looks in the
address translation table to see which computer on the stub domain the
packet belongs to.

1) How does NAT know that the packet "comes back" to destination computer?

2) What if other computers in the LAN are connected to the same server? How does the NAT know which packet should "come back" where?

3) Does the packet header modification allow to perform an Internet attack, in which the "source IP" is replaced with the victim's IP, and the answering server will flood victim with unwanted packets?

I guess multiple attackers would need to be involved…

4) Is StaticNAT equivalent to the PortForwarding of all ports?

Best Answer

There is a general misconception between NAT (Network address translation) and PAT (Port Address Translation), which is what we mostly use in our home routers.

NAT
Let's assume we have a network with the following topology:

Private_Network <-------> Router <-------> The_Internet

The interface of the Router that is connected to the Private_Network has a private IP address, i.e. one that is not unique in The_Internet. On the other hand, in the case of NAT, Router has multiple interfaces connected to The_Internet. Each interface has a unique IP address in The_Internet. Now let's assume that Host_A and Host_B are in the Private_Network and they both want to access Website_X in The_Internet at the same time. The IPs and the ports of Host_A's packet will be:

Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

and in the same way for a packet coming from Host_B.
If the Source IP is left unchanged, then Website_X will reply to an IP address that is private, i.e. not unique, and therefore the packet will never be able to find it's way back. In order to solve that problem, the Router checks whether one of his unique IP addresses connected to The_Internet is not used. If that is the case, it does the following mapping:

Host_A's private IP ======= Router's_unique_IP_K

and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:

Source IP: Router's_unique_IP_K
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

Thus you can understand that there is an one-to-one association from private IPs to public IPs. Therefore when a packet arrives from Website_X to the Router, this association is checked and the destination IP address is changed back to the private one and delivered successfully to the right host.
As you can see, this method is quite simple, but it has one big disadvantage: each private host has to have a unique IP address reserved, which is expensive, thus we select to have fewer unique IP addresses than hosts in the private network. Therefore if all the private hosts attempt to access The_Internet at the same time, only a subset of them, equal to the number of the available public IP addresses that the Router has, will have access and the rest will be denied.
In order to counter that we created PAT.

PAT
PAT is what the vast majority of our home routers is using. The basic limitation is that the Router has a single unique IP address with which it connects to The_Internet, but we still want to allow multiple hosts from the private network to access The_Internet at the same time.
The way we do that is "similar" to the way NAT does it with a key difference: instead of the Router holding a pool of IP address, it holds a pool of port numbers. More precisely, a packet arriving at the Router from Host_A in the Private_Network destined to Website_X in The_Internet will have the following format:

Source IP: Host_A's private IP
Source Port: A port on Host_A
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

Now the Router will do two tasks:

It will change the Source IP to the Router's unique public IP AND
It will change the Source Port to a port from a pool that the Router is maintaining and is not already used, e.g. Port_Z

and now the packet that started from Host_A going to Website_X and is now leaving the interface of the Router connected to The_Internet will have the form:

Source IP: Router's_unique_IP_K
Source Port: Port_Z
Destination IP: Website_X's public/unique IP
Destination Port: A port where Website_X's server is listening to

and the Router will keep the following mapping:

Host_A's private IP AND a port on Host_A ======= Port_Z

Why does this work?
Now when a packet comes back, the Router simply checks the destination port number and changes the destination IP address and the destination port number according to the pre-mentioned mapping and the packet gets delivered successfully.

What if I run multiple applications on the same Host?
Different applications will have different ports, by definition, thus they will mapped to a different port from the Router.

What if multiple Hosts attempt to access The_Internet at the same time and they all use the same application?
Different Hosts will have different private IP addresses, by definition, thus they will mapped to a different port from the Router.

PAT is dangerously balancing in a grey space of cross-layer. Port numbers are part of the Transport Protocol while Routers are allowed to operate up to the Internet Protocol. So technically speaking is something that is not allowed by the protocols. Therefore there are, at least theoretically, potential dangers: the port pool is limited. Therefore if my private network consists of 1000 Hosts and each one is running port_pool/10 applications, the mapping table at the router will run out of available entries and access to applications will be denied.

This answer greatly exceeded my intended length, but I hope it was helpful.

Related Solutions

Routing – Why can the STUN server reach the client behind NAT

syntethic task ;-)

STUN can be used only with "full cone NAT, restricted cone NAT, and port restricted cone NAT"… but not with symmetric NAT. STUN is the protocol for clients, but clients, as usually, in real world are using symmetric NAT(unique port for any connection, dynamic translation)! In the real world servers are using full-cone NAT(static translation), and servers, as usually, gets connections from clients, which are already know ip:port…

However, formal answer: most "frequent" using of STUN it is sip client to server keepalive(udp), but there are also other usages: https://www.rfc-editor.org/rfc/rfc5389#section-14:

14.  STUN Usages
   At the time of writing, three STUN usages are defined: Interactive
   Connectivity Establishment (ICE) [MMUSIC-ICE], Client-initiated
   connections for SIP [SIP-OUTBOUND], and NAT Behavior Discovery
   [BEHAVE-NAT].  Other STUN usages may be defined in the future.

Connecting to a Port on a Computer Behind NAT – Network Access Guide

Yes. Typically, devices that are accessible from the public side have a static mapping. So the (public) destination address and port are mapped to a private address behind the NAT device.

If the static mapping is not set up in advance, then the router will not know how to process the packet and will drop it. In other words, unless the administrator configures NAT mapping, no translation will occur.

Depending on the type of NAT configured, all ports will be mapped to a single private address. Or, specific ports can be mapped to separate private addresses and ports.

As an example, you can use a single public IP and map it to different servers. Using the same public IP, mail (tcp 25) can be mapped to one server, SSH (tcp 22) can be mapped to a different server, and web (tcp 80) to a third. But they all appear to the public as a single address.

Best Answer

Related Solutions

Routing – Why can the STUN server reach the client behind NAT

Connecting to a Port on a Computer Behind NAT – Network Access Guide

Related Topic