[babaton]

Hello,

Can anyone shed some light on NAT for me?I always read that as wel as cutting down on the number of real IP addreses needed it also provides a basic firewall.

OK this is how I understand NAT to work,please tell me where I am wrong.....

if my router changes the internal address on an outbound packet from 192.168.0.5 to real ip address 123.123.123.10 then the outside world only sees 123.123.123.10 right?

but any packets coming back from say a http server will be addressed to 123.123.123.10,my router forwards them on to me at 192.168.0.5.
So how does it work? anyone can see the real IP address I have at the moment I can't see much difference between NAT and DHCP.

How does the router know the difference between a packet which is a reponse and a packet which might be trying to initiate a connection?I read something about sequential packet identifiers.
The routers know that if say packet a is sent out with identifier 1 then the responding packet should be numbered 2.Yes?

Finally I read another piece which really confused me about the sequential number being constantly changing thousands of times a second.

So now packet a goes out with no. 1 say it takes 5 secs to reach its destination it is then turned round with identifier 5000 if the clock runs at 1000 changes per second.

my router will know what the identifier should be and will reject any packets from that addres with the wrong identifier.

Phew! and all this is to prevent IP spoofing yeah?

OK i'm all done,sorry it's a bit long but if I write it down it gets clearer in my head.

Please tell me where I am wrong or missing important info.I'm also sure that I have over simplified so go easy.

One last thing,anyone suggest a software router to run on windows?
Something I can play with.

Cheers.

[packet]

Routers and NAT devices use a table to keep track of outgoing connections, some of them even create a sort of firewall list that says allow the return traffic back in for a set amount of time. The way it determines the appropriate return traffic is by matching IPs and port numbers.

So if I go to a web site that maps to ip x.1.1.1 and I'm coming from 10.0.0.10 the NAT device will re-write the outgoing packet to have the "global" address as the return address. So if the real or global address were y.0.0.10 it would put that as the source IP.

What it records are your source IP, the global IP it mapped to (sometimes there is a pool), the source port, the destination address, and the destination port.

So if your outgoing packet looked like this:

Source: 10.0.0.10 4321 Destination: x.1.1.1 80

And it mapped it to y.0.0.10 (real address) it would look for a packet that came back (within a set amount of time) that matched:

Source: x.1.1.10 80 and Destination: y.0.0.10 4321 it would see in it's table it mapped back to 10.0.0.10 and rewrite the packet to have 10.0.0.10 as the destination address and allow the packet through.

The packet ideally would also be checked to see if it was either a SYN ACK or ACK packet. If it was only a SYN packet that would be an initiating packet and should be automatically dropped (unless there were incoming rules).

The sequence number is the packet identifier that should have a randomized value, it is the method that systems use to track whether a packet was acutally sent out by them or not, it isn't usually used in NAT.

Hope this helps

--P.G>

[babaton]

Thanks packet,

makes sense, the router just knows who its been communicating with and only accepts packets from those addresses:port no. which also have the correct destination address.

Is it possible to initiate a connection by sending an ACK?

or take over someone elses connection?
where do the packet identifiers come into play?

Cheers.

[babaton]

OK,

I've also been reading up on anonymous proxies and they seem pretty similar to NAT.However a proxy only has one glogal IP address to hand out to all these packets right?How does it know which incoming packets go to which clients?

So do proxies use a similar system to NAT overloading?

eg.
I send a packet out via the proxy (15.15.15.15:8080)eg.

source 10.0.0.10:4321 destination 200.2.2.2:80

If the proxy allready has the page requested it just sends it back to me,if not it swaps out the source address and retrieves the page.However in order to identify the correct responding packet it has to map my internal IP address(10.0.0.10) with
its own source,to do this it just adds the port number corresponding to the position it was saved in the table.

So if its 3rd in the table we get :

source 15.15.15.15:3 destination 200.2.2.2:80

and 10.0.0.10:4321 is mapped to 15.15.15.15:3

any incoming packets for port 3 are sent back to me at 10.0.0.10:4321.


Is this right? and if so a proxy is like a NAT router with a hard drive for caching web pages

And one final question,what stops the cops from shutting down these proxies?
Say if I set one up and then everyone is going via my proxy and doing all kinds of nasty stuff.Wouldn't the cops just close my proxy?

Please tell me what I have wrong...

Thanks everyone

[packet]

First off:

Quote

Is it possible to initiate a connection by sending an ACK?

No any machine seeing an ACK will check to see if it has a session setup with the sender and if it doesn't it will drop the packet.

Quote

or take over someone elses connection?
where do the packet identifiers come into play?

Generally the sequence numbers would be used to take over a connection (outside of any firewall or NAT device which will drop these types of attacks). So if you have easily predictable sequence numbers (like NT does) it is possible for a hacker to take over your connection to another box. Once the initial SYN is sent out the hacker can predict what sequence number the SYN ACK will have and essentially take over the connection. Most good firewalls will prevent this as will NAT devices.

--P.G>