• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Network Address Translating explained

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   This topic is locked: you cannot edit posts or make replies.   Printer-friendly version    Networking/Security Forums Index -> Networking

View previous topic :: View next topic  
Author Message
M3DU54
Trusted SF Member
Trusted SF Member


Joined: 11 May 2002
Posts: 1
Location: Las Palmas de Gran Canaria

Offline

PostPosted: Tue Jan 03, 2006 4:33 am    Post subject: Network Address Translating explained Reply with quote

Moderator note: this post was originally a reply to another thread, but has since been split here to stand on its own.

Nstal wrote:
If i have two computer on a single router is it possible for them to both have the same port open? For example, let's say i have port 80 open on 192.168.1.100 and i also have it open on 192.168.1.101. Lets say my IP adress to the internet is 67.44.33.22.


It all depends what you mean by 'open' (Listening for incoming connections -or- Creating outbound connections). Since you cite port '80' in your example I will assume you wish to have two machines LISTENING on the same port number.

Next it depends on what you mean when you say 'port' ... In particular 'who you are asking' ... If you ask each machine they may both claim to be using their port 80. But from the outside the case may appear differently. Such as in the example given above (See Zeedos post) where port 80 and 81 on your public address (The outside perspective) maps to either port 80 on computer 1 or port 80 on computer 2 (The inside, or 'hosts' perspective)

This confusion will be addressed in answering your next question...

Nstal wrote:
Is it possible for an outside computer to be able to distinguish between the two?


Lets take a look at what happens when your two computers (each with a unique 'inside' or 'private' address) both use the internet via a single IP provided by your ISP (The 'outside' or 'global' address)... and how your router distinguishes between all the incoming traffic and directs it to the appropriate machine.

Lets assume your LAN (Your home network) uses the IP's 192.168.1.1 to 192.168.1.254 (That's 254 possible IPs) of which you are using 3... these are special 'inside only' IPs that have no meaning over the public internet.

An example topology

You have a LAN (Local Area Network) with 2 PC's and a router. The LAN has its own private addressing scheme (Normally 192.168.1.x or similar) and each device connected to the LAN gets an IP from this range. The routers IP is fixed (Often 192.168.1.100)

It looks something like this...

Code:
     ,-------------------------,
  ,--|192.168.1.1 (Computer A) |
L |  |-------------------------|
A |--|192.168.1.2 (Computer B) |
N |  '-------------------------'
  |  ,-------------------------,
  '--|192.168.1.100   (ROUTER) |
     '-------------------------'


Of course, thats the 'inside' or 'private' addressing scheme. As far as the internet is concerned you only have a single 'outside' IP address (The one provided by your ISP) ... Since the router acts as a gateway between the 'inside' (your private LAN) and the 'outside' (The big bad world) it needs to have a foot on both sides of the fence : ) So, as well as the 192.168.1.100 IP (used for talking to your lan) it also has an IP for talking to the public internet. It sits between the 'inside' and the 'outside' and forms a kind of bridge over which data can pass.

If your ISP gives you the address 11.22.33.44 then your network will look something like the this...

Code:
      ,-------------------------,
   ,--|192.168.1.1 (Computer A) |
L  |  |-------------------------|
A  |--|192.168.1.2 (Computer B) |
N  |  '-------------------------'
   |  ,-------------------------,
   '--|192.168.1.100            |       inside
======|                (ROUTER) |================
   ,--|11.22.33.44              |       outside
   |  '-------------------------'
I  |
S  |
P \|/
   v


Examine that for a moment and I think you will find it corresponds quite closely to what you probably see on your home network, give or take a few IP changes.

Now settle down with a cup of tea cus this is gonna be a long ride and hopefully you're gonna learn a lot ; )


The basics (Or 'how your machines currently surf from a single IP')

Now, when you set each computer to use 192.168.1.100 as its 'gateway' in the TCP/IP settings dialogue you are telling them where to send any traffic which does not belong in the 192.168.1.x range. Therefore, when you type www.google.co.uk into your web browser this is translated into googles IP address say... 62.62.62.62 which obviously is NOT a part of 192.168.1.x so it gets sent to your router.

What happens next is magic : ) Well, not quite... but it is kinda clever : )

Lets follow what happens when Machine A (192.168.1.1) opens a temporary outgoing port, say 1025 ... and tries to connect to 62.62.62.62:80 (One of googles many webservers)

Machine A sends a packet whos header contains...
SOURCE = 192.168.1.1 :1025
DESTINATION = 62.62.62.62 :80

... to the gateway (Your router) for passing to the outside world.


Your router receives the packet, examines this header and makes a note in its 'translation table'
Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62


Now, just as each computer has 65000+ ports, your router also has 65000+ ports. It looks to see if port 1025 is available and in this case we will assume it is. It decides to use ITS port 1025 to send your data and notes this fact in the translation table

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62    1025


This entry simply means, computer 192.168.1.1 (inside) used its port 1025 to send data to the public (outside) address 62.62.62.62... And the router sent this data from its own port 1025 (The 'outside port)

It then sends the data... but only after changing the IP header

packet received from LAN:
SOURCE = 192.168.1.1 :1025
DESTINATION = 62.62.62.62 :80


Packet sent to ISP:
SOURCE = 11.22.33.44 :1025
DESTINATION = 62.62.62.62 :80


Notice that the destination is the same, but now the packets source is your *ISP SUPPLIED* (or public) address. This is imortant since there may be billions of computers with the 'inside' IP 192.168.1.1 all over the world but there should only be one device with the unique public IP 11.22.33.44 (your router) ... and because of this, google knows unambiguously where to send the replies.

Thats fine. But when your router receives a reply from google, how does it know which computer to send it to ? Well ... thats easy, it uses its translation table, but in reverse (Right to Left).

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62    1025


The IP header of the reply (google -> router) looks like this:
SOURCE = 62.62.62.62 :13948
DESTINATION = 11.22.33.44 :1025


The packet is coming from OUTSIDE (It was received on the ISP-facing interface 11.22.33.44) and is from 62.62.62.62 (google) Does 62.62.62.62:1025 appear in the table under OUTSIDE IP/PORT ... Yes it does! So the router knows that it is a reply to Machine A (192.168.1.1) and should be redirected to 192.168.1.1:1025

It therefore changes the packet accordingly...

packet as received from google:
SOURCE = 62.62.62.62 :13948
DESTINATION = 11.22.33.44 :1025


Translated packet as placed on LAN:
SOURCE = 62.62.62.62 :13948
DESTINATION = 192.168.1.1 :1025


.. And the packet is thus recieved by Machine A who is blissfully unaware of the header changes that made the whole thing work.

Fantastic!



How collisions are resolved when two machines use same Destination_IP / Local_PORT

Okay, great, but thats just one machine...

If Machine B also tried to contact google using a temporary outbound port 1025, but the routers port 1025 is 'in use' (possibly because of that last transaction involving Machine A) the router simply chooses a different port number. Thus it not only changes the IP from 192.168.1.2 to 11.22.33.44 but also the PORT from 1025 to perhaps 1027. And makes another note in the translation table:

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62    1025
192.168.1.2     1025           62.62.62.62    1027


Both machines have used the same inside port (1025) to talk to the same outside address (google at 62.62.62.62) but these are passed to google from different ports (1025 and 1027) and so, when replies come back to these two router ports it allows the router to identify where they belong)

The translation table above will convert:
Incoming data from outside address 62.62.62.62 arriving at routers outside port *1025* will be redirected to Machine A's port 1025

Meanwhile...

Incoming data from outside address 62.62.62.62 arriving at routers outside port *1027* will be redirected to Machine B's port 1025

Again, it works : )

And thats why both your machines can access the internet simultaneously even though 'the internet' sees only one IP. Each individual communication is differentiated by dynamically assigned port numbers.

Okay, here we get to the crux of your problem...


Problems using listening ports

Lets say your translation table now looks like this:
Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62    1025
192.168.1.2     1025           62.62.62.62    1027


... But Machine A is running a webserver which listens on port 80.


When a packet arrives from some unknown address on the routers outside port 80 the translation table doesn't know what to do with it. There are no clues, so the router throws it away. Thats why NAT is often considered as a 'security improvement' ... unexpected incoming packets are thrown away before they ever get to a PC on your LAN.

Good news for the security conscious - bad news if you're running a web server.

Luckily, NAT provides a couple of fixes for this...


Solution 1 - Default address translation

The first fix is setting a default address. You can tell the router that if the dynamic translation table doesn't explicitly state how to handle an incoming packet then send it to a particular machine by default. This creates an table like the following:

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     1025           62.62.62.62    1025
192.168.1.2     1025           62.62.62.62    1027
...otherwise...
192.168.1.1     -                 any               any


If the received packet matches the first line, its a reply to machine A
If the received packet matches the second line, its a reply to machine B
BUT, if no match is found... pass it to machine A and keep the destination port number intact.


This means that Machine A will receive any unexpected rubbish (such as attacks, internet worms, portscans, etc...) along with legitimate queries to its port 80 (webserver) and any other servers it happens to run.

This could be the basis of a simple DMZ or honeypot - one machine which receives all unannounced/unexpected incoming traffic and is thus exposed to risk. In a DMZ however, this machine would always be isolated from the actual LAN so that infections and attacks against this machine could not then spread to the other machines.


Solution 2 - Port Forwarding (Static Port Translation)

The next technique is far more useful. You can explicitly connect a routers outside port to a particular inside machine and port - this is commonly called 'port forwarding' and is normally used when an application or server requires a 'listening port' such as a webserver or, more commonly, an online-game or peer-to-peer program.

Here we tell the router ... if anyone sends anything to your port 80 ... pass it to machine A's port 80

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     80              anyone            80


Useful for a webserver. Unfortunately, it means that if Machine B wants to use a webserver it MUST use a different outside port number (Remember, the outside port number is what other people see)

Following from the example provided by Zeedo earlier... we can tell the router that if anything arrives at the routers port 80 it goes to Machine A's webserver, and if anything arrives at port 81 it goes to machine B's webserver.

Code:
INSIDE IP       INSIDE PORT    OUTSIDE IP     OUTSIDE PORT
---------------------------------------------------------------
192.168.1.1     80              anyone            80
192.168.1.2     80              anyone            81


Note that although the world sees ONE IP with a webserver on port 80 and another webserver on the non-standard port 81 internally both machines are using port 80. See below how the public perception of your two webservers differs from the reality of your LAN setup.

Internets view Reality
---------------- -------
11.22.33.44:80 = 192.168.1.1:80
11.22.33.44:81 = 192.168.1.2:80



Specific applications / Applications on multiple machines

Some applications allow you to SPECIFY which ports it should listen on. An example of this is the common filesharing program eMule/eDonkey. In the 'network settings' options you can specify the listening port. You can use this feature to your advantage if two users on your network both wish to use eMule ...

eMule by default likes to listen on:
4662 (to TCP connections)
4672 (to UDP datagrams)


First...
Set Machine A's eMule to listen on port 11662 and 11672
Set Machine B's eMule to listen on port 12662 and 12672

Note that I've kept most of the number intact, as an aide to memory more than anything else. But I've prepended 11xxx (For the machine at 192.168.1.1) and 12xxx (For the machine at 192.168.1.2)

You can then tell your router...

Forward anything arriving on port range 11000-11999 to 192.168.1.1
Forward anything arriving on port range 12000-12999 to 192.168.1.2

This means that you never need to touch the router again. If, say, your sister wants to add a chat client that likes to listen on port 9990 she simply changes it to 12990 (If shes on machine B) and the router is already set up to forward those packets to her machine. The same chat client on machine A would be using 11990 and the router knows (by the range given) which machine any incoming packet is bound for.



Things to consider before configuring NAT

All of the examples given here require each machine to have a STATIC IP ... Ie, the 192.168.1.1 and 192.168.1.2 assignments NEVER change. Normally when you use a router it gives out random IP's in the 192.168.1.x range. This works for outgoing NAT/PAT but NOT when you want to run a server or some application that requires a listening port (Or, in the case of most peer-to-peer it will WORK, but slowly being denied the ability to accept connections unexpectedly)

So, first up ...
Set up static IPs for all machines in your LAN

And then...
Set up port forwarding (or a default mapping) as required to suit your webserver and other listening applications

How to configure NAT on your router...

How to do this varies from router to router... luckily theres a site which not only explains how to set up most common routers for static IP and port mapping but it also contains a list of common games and applications which require port mapping to run successfully and which ports you need to map.

So, For further information (with detailed screenshots) visit...

>THIS 'ERE SITE<



Applications with well-known ports
Unlike the emule example above, some applications have 'expected' port numbers such as port:80 for Webservers. Not using the correct port number can cause confusion for those trying to reach your site.

This can be more of a problem.

Lets say you want to host 2 websites both using public port 80 ... either from a single machine (quite simple, most webservers can be configured to host multiple sites from a single IP & PORT) or from multiple machines (More difficult for the home user but can be done if you really need to)

If this applies to you then there ARE workarounds. Post exactly what you're trying to achieve and I'm sure we can find a suitable solution for you.



Final note (if for some reason Address Translation really interests you)

Whilst I (and others) have referred to this forwarding mechanism as NAT (Network Address Translation) for simplicity it is actually inaccurate. The correct term is PAT (Port Address Translation) or NAPT (Network Adress Port Translation) since it uses the 'PORT' to differentiate between different 'inside' addresses and ports - NAT is actually a much older and less flexible concept however you will probably find that your router refers to this as NAT rather than PAT.

The traditional NAT is formally described in 'RFC 1631' (look on www.faqs.org for the RFC document) and is a good place to start learning about how NAT originated. You'll notice that it doesn't provide for most of the features we've described here today - although you will discover some new ones I didn't cover : )

However, knowing the difference between standard NAT and the more common PAT is important when shopping for a router. Whilst most routers that boast 'NAT' will also provide 'PAT' this will not always be the case ... particularly as we move towards IPv6. NAT will always be around, but PAT/NAPT are dirty (but neccessary) workarounds for the limitations in IPv4. Though PAT/NAPT is predominant currently it will be far less common after IPv6 becomes the predominant end-to-end standard.

Use google to compare and contrast...
- Outgoing (or traditional) NAT
- Bi-directional (or 2-way) NAT
- Overloaded or 'Port-Based' NAT (PAT / NAPT)
- Overlapped or 'Twice' NAT (2NAT)



Caveat Tinkerer

One last thing to note about PAT/NAPT is that it is NOT transparent. It CAN cause problems since it is not only the headers that need changing, some common protocols (Such as FTP for example) also carry IP data in upper layers which also needs to be changed. Some routers will detect and correct these upper layers too but many domestic routers do not, if you have problems with specific protocols contact your router manufacturer and find out whether your router has such capabilities or if the extent of its translation is confined to the IP and transport layers.

Even where upper layers of such protocols ARE handled by the router they may not be handled in all cases... for example, if the packet is fragmented. And many less common protocols (such as proprietary ones used in games and messaging applications) won't have any upper-layer translation requirements serviced at all.

But, for the most part it should work.



Hope you at least skipped through that and picked up one or two key concepts that help you understand how your current network gets things done. Knowing HOW Address Translation works will help you understand how to fix it when it doesn't : )

But I reiterate ...
It sounds like you want to host 2 websites both using a public port 80... either:

from a single machine (quite simple, most webservers can be configured to host multiple sites from a single IP & PORT)
-or-
from multiple machines (More difficult for the home user but can be done if you really need to)

If this applies to you then there ARE workarounds. Post exactly what you're trying to achieve and I'm sure we can find a more suitable solution for you.



-Meds
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   This topic is locked: you cannot edit posts or make replies.   Printer-friendly version    Networking/Security Forums Index -> Networking All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register