Re: how does outgoing nat work exactly?

Fri, 11 Jan 2002 10:43:24 -0800 

[EMAIL PROTECTED] wrote:
 ...[text about how an ALG proxy works similarly to NAT and also changes the source 
port
 ... since the ALG proxy opens up a new connection from a new socket]....
> ...
> If you have some sort of IP filter, router, or loadbalancer doing NAT then the only 
>thing
> that will change in the packet will be the source address.  The rest of the headers 
>will
> remain intact including the source port.  The same
> would probably be true of a Stateful Inspection style firewall depending on how it 
>was built.

Well, many (if not all) NAT implementations will also result in the source port in 
packets
being sent out from behind (inside) the NAT device often being changed as well these 
days.

Most NAT implementations currently apparently will also use PAT (Port Address 
Translation)
implementations as well on demand if needed unless they are specifically told 
(constrained)
not to do so.  And some might argue that a little bit of (security through obscurity) 
protection is gained by hiding the real source port all the time (a topic for debate).

Particularly in the case of devices mapping multiple RFC1918 IP addresses to one 
outgoing
public IP address it is basically a requirement that the device need be allowed to 
change
the source port on outgoing (NATed) packets as the port may conflict with other 
sessions
from other internal rewritten IP addresses from the same source port and the source 
port
may also conflict with a TCP/UDP port which is being 'port forwarded' from the public 
IP
address to a port (either the same or a different one) on one of the internal NATed 
machines.

The NAT device then does need to keep track (e.g. maintain a state table) of port as 
well
as network address mappings.  Normally it would/should do both with one state table 
entry
per socket tuple, e.g., (note the RFC1918 address 10.1.1.10 is used instead here 
instead
of the registered public Internet address that would normally appear in the 2nd 
column):

        TCP Outgoing NAT/PAT table: Source IP and Source Port

        Before (Real)           After (NPATed)
        IP Address      Port    IP Address      Port
        --------------------    ----------------------
        192.168.1.100   3128    10.1.1.10       32100
        192.168.1.102   4444    10.1.1.10       32101
        192.168.1.2     6010    10.1.1.10       32102

- H. Morrow Long
  University Information Security Officer
  Yale University, ITS, Dir. InfoSec Office

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to